Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-11
CVE-2025-1766 - Eventin Plugin
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
PLUGIN
Eventin
CVE-2025-1766
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-1314 - Custom Twitter Feeds – A Tweets Widget or X Feed Widget Plugin
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE-2025-1314
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13876 - Meintopf Plugin
The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Meintopf
CVE-2024-13876
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-13875 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Pmanager
CVE-2024-13875
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2512 - File Away Plugin
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
File Away
CVE-2025-2512
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-2511 - AHAthat Plugin
The AHAthat Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
AHAthat Plugin
CVE-2025-2511
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13442 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.
PLUGIN
Service Finder Bookings
CVE-2024-13442
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2025-1232 - Site Reviews Plugin
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
PLUGIN
Site Reviews
CVE-2025-1232
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-2290 - Lifterlms Plugin
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.
PLUGIN
Lifterlms
CVE-2025-2290
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12295 - Boombox Theme Extensions Plugin
The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Boombox Theme Extensions
CVE-2024-12295
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2024-12563 - S2member Pro Plugin
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
PLUGIN
S2member Pro
CVE-2024-12563
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2025-2262 - Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation Plugin
The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
CVE-2025-2262
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1624 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1624
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1623 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1623
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1621 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1621
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1620 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1620
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1619 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1619
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13602 - Poll Maker Plugin
The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Poll Maker
CVE-2024-13602
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1622 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1622
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13126 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.
PLUGIN
Download Manager
CVE-2024-13126
Risk Score