Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-21
CVE-2024-13691 - Uncode Plugin
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server.
PLUGIN
Uncode
CVE-2024-13691
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13667 - Uncode Plugin
The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Uncode
CVE-2024-13667
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13783 - Formcraft Plugin
The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions.
PLUGIN
Formcraft
CVE-2024-13783
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13369 - Tour Master Plugin
The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tour Master
CVE-2024-13369
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13395 - Threepress Plugin
The Threepress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'threepress' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Threepress
CVE-2024-13395
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2024-13316 - Scratch Win Plugin
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons.
PLUGIN
Scratch Win
CVE-2024-13316
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13718 - Flexible Wishlist For Woocommerce Plugin
The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Flexible Wishlist For Woocommerce
CVE-2024-13718
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-12860 - Carspot Plugin
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Carspot
CVE-2024-12860
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0864 - Active Products Tables For Woocommerce Plugin
The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Active Products Tables For Woocommerce
CVE-2025-0864
Risk Score
Threat Entry
Updated 2026-01-07
CVE-2024-13704 - Super Testimonials Plugin
The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Super Testimonials
CVE-2024-13704
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13575 - Web Stories Enhancer Plugin
The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'web_stories_enhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Web Stories Enhancer
CVE-2024-13575
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13465 - Ablocks Plugin
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Table Of Content" Block, specifically in the "markerView" attribute, in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ablocks
CVE-2024-13465
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-11895 - Online Payments Get Paid With Paypal Square Stripe Plugin
The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Online Payments Get Paid With Paypal Square Stripe
CVE-2024-11895
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13795 - Ecwid Ecommerce Shopping Cart Plugin
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ecwid Ecommerce Shopping Cart
CVE-2024-13795
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-11376 - S2member Plugin
The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 241114. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
S2member
CVE-2024-11376
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13523 - Memorialday Plugin
The MemorialDay plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Memorialday
CVE-2024-13523
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13315 - Shopwarden Plugin
The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Shopwarden
CVE-2024-13315
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13556 - Affiliate Links Plugin
The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization of untrusted input from an file export. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin…
PLUGIN
Affiliate Links
CVE-2024-13556
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13438 - Speedsize Image Video Ai Optimizer Plugin
The SpeedSize Image & Video AI-Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the 'speedsize_clear_css_cache_action' function. This makes it possible for unauthenticated attackers to clear the plugins cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Speedsize Image Video Ai Optimizer
CVE-2024-13438
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0805 - Mortgage Loan Calculator Plugin
The Mortgage Calculator / Loan Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mlcalc' shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mortgage Loan Calculator
CVE-2025-0805
Risk Score