Reddit NetSec

CVE Database V5

AlienVault OTX General

Reddit InfoSec News

Exploit-DB RSS Feed

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function.  Because there is no check on the URL’s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVE-2025-6997 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ThemeREX Addons plugin for WordPress, specifically versions up to and including 2.35.1.1. The vulnerability arises from improper input sanitization and output escaping in the plugin's handling of SVG file uploads. The core issue lies in the function trx_addons_get_svg_from_file(), which processes an 'svg' parameter supplied via shortcode or Elementor widget settings without validating the URL's origin, scheme, or the SVG content itself. This parameter is then rendered using trx_addons_show_layout(), allowing an attacker with Contributor-level or higher privileges to supply a remote SVG containing malicious scripts. These scripts are stored and executed whenever any user accesses the affected page, leading to persistent XSS. The vulnerability requires authenticated access with at least Contributor privileges, does not require user interaction for exploitation once the malicious SVG is uploaded, and affects all versions of the plugin up to 2.35.1.1. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No known exploits in the wild have been reported yet, and no patches are currently linked, indicating that mitigation may require manual intervention or updates from the vendor. Stored XSS in WordPress plugins is particularly dangerous as it can lead to session hijacking, defacement, or further exploitation of site visitors and administrators.

Detailed information about CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addon

CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addons - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addons

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.

CVE-2025-6721 is a medium-severity vulnerability affecting the MORKVA Vchasno Kasa Integration plugin for WordPress, developed by bandido. The vulnerability arises from a missing authorization check in the function mrkv_vchasno_kasa_wc_do_metabox_action(), which is responsible for handling certain metabox actions related to invoice generation. Due to the absence of a capability check, unauthenticated attackers can invoke this function to generate invoices for arbitrary orders without any authentication or user interaction. This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the system fails to enforce proper access control before allowing sensitive operations. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects confidentiality, as attackers can access invoice data, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been released yet. The vulnerability affects all versions up to and including 1.0.3 of the plugin. Since the plugin integrates with WordPress e-commerce environments, the flaw could be leveraged to obtain sensitive financial documents or manipulate order-related data visibility, potentially leading to information disclosure or fraud facilitation.

Detailed information about CVE-2025-6721: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration affecting bandido MORKVA Vchasno Kasa Integra

CVE-2025-6721: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6721: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration

The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.

CVE-2025-6720 is a security vulnerability identified in the Vchasno Kasa plugin for WordPress, developed by bandido under the product name MORKVA Vchasno Kasa Integration. This vulnerability arises from a missing authorization check (CWE-862) on the clear_all_log() function in all versions up to and including 1.0.3. Specifically, the function responsible for clearing log files does not verify whether the caller has the necessary permissions or capabilities to perform this action. As a result, unauthenticated attackers can invoke this function remotely without any user interaction or authentication, allowing them to clear log files arbitrarily. The vulnerability has a CVSS 3.1 base score of 5.3, categorized as medium severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts integrity (I:L) but not confidentiality or availability. The scope remains unchanged (S:U), meaning the vulnerability affects only the vulnerable component without impacting other components. Although no known exploits are currently reported in the wild, the vulnerability presents a risk of attackers erasing logs that could be critical for forensic investigations, incident response, or auditing. This could hinder detection of malicious activities or cover tracks after an intrusion. Since the vulnerability is in a WordPress plugin, it affects websites running WordPress with this specific plugin installed and active. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for mitigation.

Detailed information about CVE-2025-6720: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration affecting bandido MORKVA Vchasno Kasa Integra

CVE-2025-6720: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6720: CWE-862 Missing Authorization in bandido MORKVA Vchasno Kasa Integration

An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account.

CVE-2025-29757 is a critical security vulnerability identified in the Growatt cloud service platform (https://oss.growatt.com), specifically within the 'plant transfer' function. This vulnerability is classified under CWE-863, which pertains to incorrect authorization. The flaw allows a malicious attacker who already possesses a valid user account to transfer ownership of any plant (likely referring to solar power plants or energy installations managed via Growatt's platform) into their own account without proper authorization checks. This means that the authorization logic fails to verify whether the requesting user has the right to perform the transfer on the targeted plant, enabling privilege escalation and unauthorized control over assets. The vulnerability has a CVSS 4.0 base score of 9.4 (critical), reflecting its high impact and ease of exploitation. The vector indicates network attack (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and privileges required are low (PR:L), meaning an attacker only needs a valid account with minimal privileges. The impact on confidentiality, integrity, and availability is high, with the scope being partially changed (S:P), indicating that the vulnerability affects resources beyond the initially compromised component. No patches are currently linked, and no known exploits have been reported in the wild as of the published date (July 19, 2025). The vulnerability was reserved in March 2025 and publicly disclosed in July 2025. Given Growatt's role as a provider of solar energy management solutions, unauthorized transfer of plants could lead to significant operational disruptions, data breaches, and potential sabotage or misuse of energy assets.

Detailed information about CVE-2025-29757: CWE-863 Incorrect Authorization in Growatt https://oss.growatt.com affecting Growatt https://oss.growatt.com. Get rea

CVE-2025-29757: CWE-863 Incorrect Authorization in Growatt https://oss.growatt.com - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-29757: CWE-863 Incorrect Authorization in Growatt https://oss.growatt.com

The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

CVE-2025-7697 is a critical vulnerability affecting the 'Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms' WordPress plugin developed by crmperks. The vulnerability is a PHP Object Injection flaw arising from unsafe deserialization of untrusted input within the verify_field_val() function. This flaw exists in all versions up to and including 1.1.1 of the plugin. An unauthenticated attacker can exploit this vulnerability remotely without any user interaction or privileges. The attack leverages the deserialization process to inject malicious PHP objects. Furthermore, when combined with the presence of a Property Oriented Programming (POP) gadget chain in the Contact Form 7 plugin (commonly used alongside this integration), the attacker can escalate the impact by deleting arbitrary files on the server. Notably, deletion of the wp-config.php file can lead to denial of service or even remote code execution, severely compromising the affected WordPress installation. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the combination of unauthenticated remote exploitation and potential for full system compromise makes this a highly urgent threat for WordPress sites using these plugins.

Detailed information about CVE-2025-7697: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Google Sheets and Contact Form 7, WPForms, Eleme

CVE-2025-7697: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7697: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms

The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.

CVE-2025-7696 is a critical vulnerability affecting the WordPress plugin "Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms" developed by crmperks. This vulnerability arises from unsafe deserialization of untrusted data within the verify_field_val() function, leading to PHP Object Injection (CWE-502). Specifically, all versions up to and including 1.2.3 are affected. An unauthenticated attacker can exploit this flaw remotely without any user interaction or privileges. The vulnerability is exacerbated by the presence of a Property Oriented Programming (POP) chain in the Contact Form 7 plugin, which is commonly used alongside the vulnerable plugin. This POP chain enables attackers to leverage the injected PHP object to delete arbitrary files on the server. A particularly critical consequence is the deletion of the wp-config.php file, which contains sensitive database credentials and configuration settings. Deleting this file can cause denial of service (DoS) by breaking the WordPress site or potentially enable remote code execution (RCE) if the attacker can manipulate the environment post-deletion. The CVSS v3.1 base score of 9.8 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation (network vector, no privileges or user interaction required). This vulnerability threatens the core security and availability of WordPress sites using these plugins, which are widely deployed for integrating CRM and form functionalities. Although no known exploits are reported in the wild yet, the critical severity and ease of exploitation make this a high-priority issue for immediate remediation.

Detailed information about CVE-2025-7696: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Pipedrive and Contact Form 7, WPForms, Elementor

CVE-2025-7696: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7696: CWE-502 Deserialization of Untrusted Data in crmperks Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms

The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2025-7669 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the Avishi WP PayPal Payment Button plugin for WordPress, specifically all versions up to and including 2.0. The root cause of this vulnerability is the absence or improper implementation of nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. Nonces in WordPress are security tokens used to verify that requests intended to change state originate from legitimate users and not from malicious third parties. Without proper nonce validation, an attacker can craft a malicious request that, if executed by an authenticated site administrator (e.g., by clicking a link or visiting a malicious webpage), can cause unauthorized changes to the plugin’s settings. This could include injecting malicious scripts or altering payment configurations, potentially leading to compromised payment processes or site integrity. The vulnerability requires user interaction (the administrator must be tricked into performing an action) but does not require prior authentication by the attacker. The CVSS v3.1 base score is 6.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction, with a scope change and low impact on confidentiality and integrity, and no impact on availability. There are no known exploits in the wild at the time of publication, and no official patches have been linked yet. This vulnerability falls under CWE-352, which is a common web application security weakness related to CSRF attacks.

Detailed information about CVE-2025-7669: CWE-352 Cross-Site Request Forgery (CSRF) in avishika Avishi WP PayPal Payment Button affecting avishika Avishi WP Pay

CVE-2025-7669: CWE-352 Cross-Site Request Forgery (CSRF) in avishika Avishi WP PayPal Payment Button - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7669: CWE-352 Cross-Site Request Forgery (CSRF) in avishika Avishi WP PayPal Payment Button

The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-7661 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Partnerský systém Martinus WordPress plugin developed by maxomatos. This vulnerability exists in all versions up to and including 1.7.1. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of user-supplied attributes in the plugin's 'martinus' shortcode. Authenticated attackers with contributor-level privileges or higher can exploit this flaw by injecting arbitrary malicious scripts into pages via the shortcode attributes. These scripts are then stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the affected WordPress site. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to sites using this plugin, especially those with multiple contributors or editors. The CWE classification is CWE-79, which is a common and well-understood web application security issue related to improper input validation and output encoding.

Detailed information about CVE-2025-7661: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maxomatos Partnerský sy

CVE-2025-7661: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maxomatos Partnerský systém Martinus - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7661: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maxomatos Partnerský systém Martinus

The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-7658 is a stored Cross-Site Scripting (XSS) vulnerability affecting the 'Temporarily Hidden Content' WordPress plugin developed by codents, specifically versions up to and including 1.0.6. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The plugin's 'temphc-start' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level access or higher to inject arbitrary JavaScript code into pages. This malicious script is stored persistently and executes whenever any user accesses the compromised page. The vulnerability does not require user interaction to trigger once the malicious content is loaded, and it can impact the confidentiality and integrity of user data by enabling session hijacking, credential theft, or unauthorized actions on behalf of users. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required (low), no user interaction, and a scope change due to the potential impact on other users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk in environments where multiple users have contributor or higher privileges and where the plugin is installed. The vulnerability's exploitation could lead to persistent XSS attacks that compromise site visitors and administrators alike, potentially facilitating further attacks such as privilege escalation or malware distribution within WordPress sites.

Detailed information about CVE-2025-7658: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codents Temporarily Hid

CVE-2025-7658: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codents Temporarily Hidden Content - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7658: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in codents Temporarily Hidden Content

The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-7655 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Live Stream Badger WordPress plugin developed by tkrivickas. This vulnerability exists in all versions up to and including 1.4.3 due to improper input sanitization and output escaping on user-supplied attributes within the plugin's 'livestream' shortcode. Specifically, authenticated users with contributor-level permissions or higher can inject malicious JavaScript code into pages using this shortcode. Because the malicious script is stored persistently, it executes in the context of any user who views the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. The CVSS 3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges of an authenticated contributor, but does not require user interaction. The scope is changed, indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is low, with no direct availability impact. No known exploits are currently in the wild, and no official patches have been released at the time of publication.

Detailed information about CVE-2025-7655: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tkrivickas Live Stream 

CVE-2025-7655: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tkrivickas Live Stream Badger - Live Threat Intelligence - Threat Radar | OffSeq.com

Title	Severity	Type	Source	Date

Threat Intelligence Database

Filter Threats

Threat Intelligence

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility