Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4190 |
Description: The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
EPSS Score: 0.05%
May 17th, 2025 (25 days ago)
|
|
CVE-2025-4391 |
Description: The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
May 17th, 2025 (25 days ago)
|
|
CVE-2025-4389 |
Description: The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
May 17th, 2025 (25 days ago)
|
|
CVE-2025-3812 |
Description: The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS: HIGH (8.1) EPSS Score: 0.34%
May 17th, 2025 (25 days ago)
|
|
CVE-2025-4194 |
Description: The AlT Monitoring plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'ALT_Monitoring_edit' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.01%
May 17th, 2025 (25 days ago)
|
|
CVE-2025-4189 |
Description: The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.01%
May 17th, 2025 (25 days ago)
|
|
Description: Overview
Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress,
Session storage configured with CookieStore.
Fix
Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank FĂ©lix Charette for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3
https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch
https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389
https://github.com/auth0/auth0-PHP/releases/tag/8.14.0
https://github.com/advisories/GHSA-g98g-r7gf-2r25
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
May 16th, 2025 (25 days ago)
|
|
CVE-2025-48146 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Michael Lups SEO Flow by LupsOnline allows Stored XSS. This issue affects SEO Flow by LupsOnline: from n/a through 2.2.0.
CVSS: HIGH (7.1) EPSS Score: 0.02%
May 16th, 2025 (25 days ago)
|
|
CVE-2025-48144 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in sidngr Import Export For WooCommerce allows Stored XSS. This issue affects Import Export For WooCommerce: from n/a through 1.6.2.
CVSS: HIGH (7.1) EPSS Score: 0.02%
May 16th, 2025 (25 days ago)
|
|
CVE-2025-48138 |
Description: Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.11.
CVSS: MEDIUM (4.3) EPSS Score: 0.04%
May 16th, 2025 (25 days ago)
|