Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3429
3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'material_text'
Description: The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.06%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-3428
3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'coating_text'
Description: The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'coating_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.06%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-3427
3DPrint Lite <=2.1.3.6 - Authenticated (Admin+) SQL Injection via 'infill_text'
Description: The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.06%

Source: CVE
April 8th, 2025 (14 days ago)
[webapps] WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
Description: WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation
Source: ExploitDB
April 8th, 2025 (14 days ago)

CVE-2025-2004
Simple WP Events <= 1.8.17 - Unauthenticated Arbitrary File Deletion
Description: The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS: CRITICAL (9.1)

EPSS Score: 0.34%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2024-13820
Melhor Envio <= 2.15.9 - Unauthenticated Sensitive Information Exposure via Hardcoded Hash
Description: The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.9 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-2526
Streamit <= 4.0.2 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover
Description: The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

CVSS: HIGH (8.8)

EPSS Score: 0.12%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-2525
Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload
Description: The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.32%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-2519
Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Download
Description: The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'st_send_download_file' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary files.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
April 8th, 2025 (14 days ago)

CVE-2025-1264
Broken Link Checker by AIOSEO <= 1.2.3 - Authenticated (Contributor+) SQL Injection
Description: The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to SQL Injection via the 'orderBy' parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 6th, 2025 (16 days ago)