Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-05
CVE-2024-11951 - Homey Login Register Plugin
The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
PLUGIN
Homey Login Register
CVE-2024-11951
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-11153 - Content Control Plugin
The Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.0 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
PLUGIN
Content Control
CVE-2024-11153
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1515 - Wp Real Estate Manager Plugin
The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators.
PLUGIN
Wp Real Estate Manager
CVE-2025-1515
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0956 - Woocommerce Recover Abandoned Cart Plugin
The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target…
PLUGIN
Woocommerce Recover Abandoned Cart
CVE-2025-0956
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0954 - Wp Online Contract Plugin
The WP Online Contract plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the json_import() and json_export() functions in all versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to import and export the plugin's settings.
PLUGIN
Wp Online Contract
CVE-2025-0954
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-5667 - Wp Featherlight Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Featherlight
CVE-2024-5667
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13839 - Staff Directory Pro Plugin
The Staff Directory Plugin: Company Directory plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Staff Directory Pro
CVE-2024-13839
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13809 - Hero Slider Wordpress Slider Plugin
The Hero Slider - WordPress Slider Plugin plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Hero Slider Wordpress Slider
CVE-2024-13809
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13780 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13780
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13779 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'index' parameter in all versions up to, and including, 1.16.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13779
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13777 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input from the 'margs' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Zoomsounds
CVE-2024-13777
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13778 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to SQL Injection via several functions in all versions up to, and including, 1.16.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13778
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13232 - Export Wordpress Data Plugin
The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.
PLUGIN
Export Wordpress Data
CVE-2024-13232
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13757 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_layer shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-13757
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13747 - Woomail Woocommerce Email Customizer Plugin
The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query.
PLUGIN
Woomail Woocommerce Email Customizer
CVE-2024-13747
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12815 - Point Maker Plugin
The Point Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'point_maker' shortcode in all versions up to, and including, 0.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Point Maker
CVE-2024-12815
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-11731 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_slider shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-11731
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1008 - Recently Purchased Products For Woo Plugin
The Recently Purchased Products For Woo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘view’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recently Purchased Products For Woo
CVE-2025-1008
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1435 - Bbpress Plugin
The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer…
PLUGIN
Bbpress
CVE-2025-1435
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13866 - Simple Notification Plugin
The Simple Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Simple Notification
CVE-2024-13866
Risk Score