Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-1625 |
Description: The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS: MEDIUM (5.4) EPSS Score: 0.03%
May 19th, 2025 (23 days ago)
|
|
CVE-2025-2892 |
Description: The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 19th, 2025 (23 days ago)
|
|
CVE-2025-3715 |
Description: The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 18th, 2025 (24 days ago)
|
|
Description: Overview
Session cookies of applications using the Auth0 Wordpress plugin configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0 WordPress Plugin with version <=5.2.1
Auth0 WordPress Plugin uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0.
Session storage configured with CookieStore.
Fix
Upgrade Auth0/wordpress plugin to v5.3.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/wordpress/commit/06b64468089472d8b62c881708be7eb3749b35ac
https://github.com/auth0/wordpress/releases/tag/5.3.0
https://github.com/advisories/GHSA-2f4r-34m4-3w8q
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
May 17th, 2025 (24 days ago)
|
|
CVE-2025-4101 |
Description: The MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 17th, 2025 (24 days ago)
|
|
CVE-2025-4669 |
Description: The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.04%
May 17th, 2025 (24 days ago)
|
|
CVE-2025-3888 |
Description: The Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 17th, 2025 (24 days ago)
|
|
CVE-2025-3527 |
Description: The EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 17th, 2025 (24 days ago)
|
|
CVE-2024-13613 |
Description: The Wise Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.3 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments included in chat messages. The vulnerability was partially patched in version 3.3.3.
CVSS: HIGH (7.5) EPSS Score: 0.07%
May 17th, 2025 (24 days ago)
|
|
CVE-2025-4610 |
Description: The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.04%
May 17th, 2025 (25 days ago)
|