CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13408
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Incl...
Description: The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the `pgcu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php files can be uploaded and included.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13370
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.2 - Missing Authorization to Authenticated (S...
Description: The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_addon_key_license() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options to a value of a valid license key.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13368
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.1 - Missing Authorization to Authenticated (S...
Description: The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13354
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Sc...
Description: The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in several widgets in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13335
Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 - Missing Authorization to Spexo Theme Install
Description: The Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the tmpcoder_theme_install_func() function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install a theme.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13117
Social Share Buttons for WordPress <= 2.7 - Unauthenticated Image Upload & Path Traversal
Description: The Social Share Buttons for WordPress plugin through 2.7 allows an unauthenticated user to upload arbitrary images and change the path where they are uploaded

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13116
Crelly Slider < 1.4.7 - Admin+ Stored XSS
Description: The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13095
WP Triggers Lite <= 2.5.3 - Admin+ SQL Injection
Description: The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13094
WP Triggers Lite <= 2.5.3 - Reflected XSS
Description: The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13057
Dyn Business Panel <= 1.0.0 - Stored XSS via CSRF
Description: The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)