CyberAlerts

CVE-2024-13326

Description: The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS Score: 0.04%

Source: CVE

February 5th, 2025 (5 months ago)

CVE-2024-13325

Glossy <= 2.3.5 - Reflected XSS

Description: The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS Score: 0.04%

Source: CVE

February 5th, 2025 (5 months ago)

CVE-2024-13115

WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF

Description: The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

EPSS Score: 0.04%

Source: CVE

February 5th, 2025 (5 months ago)

CVE-2024-13114

WP Projects Portfolio with Client Testimonials <= 3.0 - Reflected XSS

Description: The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

February 5th, 2025 (5 months ago)

CVE-2024-12597

HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css

Description: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE

February 5th, 2025 (5 months ago)

CVE-2024-12046

Medical Addon for Elementor <= 1.6.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode

Description: The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.

CVSS: MEDIUM (4.3)

EPSS Score: 0.07%

Source: CVE

February 5th, 2025 (5 months ago)

WordPress Plugin "Activity Log WinterLock" vulnerable to cross-site request forgery

Description: WordPress Plugin "Activity Log WinterLock" provided by SWIT contains a cross-site request forgery vulnerability.

Source: Japan Vulnerability Notes (JVN)

February 4th, 2025 (5 months ago)

CVE-2025-24781

WordPress WPJobBoard plugin <= 5.10.1 - Reflected Cross Site Scripting (XSS) vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WPJobBoard allows Reflected XSS. This issue affects WPJobBoard: from n/a through 5.10.1.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

February 4th, 2025 (5 months ago)

CVE-2025-24707

WordPress Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery plugin <= 2.7.7.24 - Reflected Cross Site Scripting (XSS) vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 Photo Gallery Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery allows Reflected XSS. This issue affects Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery: from n/a through 2.7.7.24.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

February 4th, 2025 (5 months ago)

CVE-2025-24697

WordPress Image Gallery – Responsive Photo Gallery plugin <= 1.0.5 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in Realwebcare Image Gallery – Responsive Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Gallery – Responsive Photo Gallery: from n/a through 1.0.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE

February 4th, 2025 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-13326	iBuildApp <= 0.2.0 - Reflected XSS Description: The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin EPSS Score: 0.04% Source: CVE February 5th, 2025 (5 months ago)
CVE-2024-13325	Glossy <= 2.3.5 - Reflected XSS Description: The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin EPSS Score: 0.04% Source: CVE February 5th, 2025 (5 months ago)
CVE-2024-13115	WP Projects Portfolio with Client Testimonials <= 3.0 - Stored XSS via CSRF Description: The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. EPSS Score: 0.04% Source: CVE February 5th, 2025 (5 months ago)
CVE-2024-13114	WP Projects Portfolio with Client Testimonials <= 3.0 - Reflected XSS Description: The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE February 5th, 2025 (5 months ago)
CVE-2024-12597	HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css Description: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.05% Source: CVE February 5th, 2025 (5 months ago)
CVE-2024-12046	Medical Addon for Elementor <= 1.6.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode Description: The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts. CVSS: MEDIUM (4.3) EPSS Score: 0.07% Source: CVE February 5th, 2025 (5 months ago)
	WordPress Plugin "Activity Log WinterLock" vulnerable to cross-site request forgery Description: WordPress Plugin "Activity Log WinterLock" provided by SWIT contains a cross-site request forgery vulnerability. Source: Japan Vulnerability Notes (JVN) February 4th, 2025 (5 months ago)
CVE-2025-24781	WordPress WPJobBoard plugin <= 5.10.1 - Reflected Cross Site Scripting (XSS) vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WPJobBoard allows Reflected XSS. This issue affects WPJobBoard: from n/a through 5.10.1. CVSS: HIGH (7.1) EPSS Score: 0.04% Source: CVE February 4th, 2025 (5 months ago)
CVE-2025-24707	WordPress Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery plugin <= 2.7.7.24 - Reflected Cross Site Scripting (XSS) vulnerability Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 Photo Gallery Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery allows Reflected XSS. This issue affects Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery: from n/a through 2.7.7.24. CVSS: HIGH (7.1) EPSS Score: 0.04% Source: CVE February 4th, 2025 (5 months ago)
CVE-2025-24697	WordPress Image Gallery – Responsive Photo Gallery plugin <= 1.0.5 - Broken Access Control vulnerability Description: Missing Authorization vulnerability in Realwebcare Image Gallery – Responsive Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Gallery – Responsive Photo Gallery: from n/a through 1.0.5. CVSS: MEDIUM (6.5) EPSS Score: 0.04% Source: CVE February 4th, 2025 (5 months ago)