Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2883 |
Description: The Accept SagePay Payments Using Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-2808 |
Description: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (5.4) EPSS Score: 0.03%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-2807 |
Description: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
CVSS: HIGH (8.8) EPSS Score: 0.24%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3436 |
Description: The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3433 |
Description: The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
CVSS: MEDIUM (6.1) EPSS Score: 0.03%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3432 |
Description: The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3064 |
Description: The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
CVSS: HIGH (8.8) EPSS Score: 0.02%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3431 |
Description: The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS: HIGH (7.5) EPSS Score: 0.08%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-2882 |
Description: The GreenPay(tm) by Green.Money plugin for WordPress is vulnerable to Sensitive Information Exposure in versions between 3.0.0 and 3.0.9 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
April 8th, 2025 (14 days ago)
|
|
CVE-2025-3430 |
Description: The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'printer_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: MEDIUM (4.9) EPSS Score: 0.06%
April 8th, 2025 (14 days ago)
|