Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-17
CVE-2024-13772 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.
PLUGIN
Civi
CVE-2024-13772
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1507 - Dashboard For Google Analytics Plugin
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features.
PLUGIN
Dashboard For Google Analytics
CVE-2025-1507
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1526 - Dethemekit For Elementor Plugin
The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dethemekit For Elementor
CVE-2025-1526
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13321 - Analyticswp Plugin
The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Analyticswp
CVE-2024-13321
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13407 - Omnipress Plugin
The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Omnipress
CVE-2024-13407
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2221 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpcom Member
CVE-2025-2221
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13824 - Ciyashop Plugin
The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…
PLUGIN
Ciyashop
CVE-2024-13824
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2103 - Soundrise Plugin
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Soundrise
CVE-2025-2103
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2289 - Zegen Plugin
The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
PLUGIN
Zegen
CVE-2025-2289
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13913 - Instawp Connect Plugin
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Instawp Connect
CVE-2024-13913
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1764 - LoginPress | wp-login Custom Login Page Customizer Plugin
The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user…
PLUGIN
LoginPress | wp-login Custom Login Page Customizer
CVE-2025-1764
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2025-2056 - Hide My Wp Ghost Plugin
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
PLUGIN
Hide My Wp Ghost
CVE-2025-2056
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-2166 - CM FAQ – Simplify support with an intuitive FAQ management tool Plugin
The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
CM FAQ – Simplify support with an intuitive FAQ management tool
CVE-2025-2166
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1528 - Search & Filter Pro Plugin
The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the values of arbitrary post meta.
PLUGIN
Search & Filter Pro
CVE-2025-1528
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-0955 - Vidorev Extensions Plugin
The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.
PLUGIN
Vidorev Extensions
CVE-2025-0955
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11286 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
PLUGIN
Jobcareer
CVE-2024-11286
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11285 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11285
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11284 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11284
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11283 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
PLUGIN
Jobcareer
CVE-2024-11283
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-10942 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export…
PLUGIN
All In One Wp Migration
CVE-2024-10942
Risk Score