Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-16
CVE-2025-22676 - AWS S3 for WordPress Plugin – Upcasted
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in upcasted AWS S3 for WordPress Plugin – Upcasted allows Stored XSS. This issue affects AWS S3 for WordPress Plugin – Upcasted: from n/a through 3.0.3.
PLUGIN
AWS S3 for WordPress Plugin – Upcasted
CVE-2025-22676
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13834 - Responsive Addons Plugin
The Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.4 via the 'remote_request' function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Responsive Addons
CVE-2024-13834
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-0822 - Bit Assist Plugin
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bit Assist
CVE-2025-0822
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13488 - Ltl Freight Quotes Plugin
The LTL Freight Quotes – Estes Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Ltl Freight Quotes
CVE-2024-13488
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13500 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.6.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Project Manager
CVE-2024-13500
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13439 - Team Plugin
The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
PLUGIN
Team
CVE-2024-13439
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-10581 - Directorypress Plugin
The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfl_listingStatusChange() function. This makes it possible for unauthenticated attackers to update listing statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Directorypress
CVE-2024-10581
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-12562 - S2member Plugin
The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
S2member
CVE-2024-12562
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13752 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition.
PLUGIN
Wp Project Manager
CVE-2024-13752
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-1005 - Elementskit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion widget in all versions up to, and including, 3.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit Elementor Addons
CVE-2025-1005
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-0935 - Media Library Folders Plugin
The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
PLUGIN
Media Library Folders
CVE-2025-0935
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13563 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's forgot-password shortcode in all versions up to, and including, 3.2.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Front End Users
CVE-2024-13563
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13525 - Customer Email Verification For Woocommerce Plugin
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user.
PLUGIN
Customer Email Verification For Woocommerce
CVE-2024-13525
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13513 - Oliver Pos Plugin
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
PLUGIN
Oliver Pos
CVE-2024-13513
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13306 - Maps Plugin Using Google Maps For Wordpress
The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Maps Plugin Using Google Maps For Wordpress
CVE-2024-13306
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13208 - Maps Plugin Using Google Maps For Wordpress
The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Maps Plugin Using Google Maps For Wordpress
CVE-2024-13208
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2025-23657 - WordPress-to-candidate for Salesforce CRM Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WordPress-to-candidate for Salesforce CRM allows Reflected XSS. This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through 1.0.1.
PLUGIN
WordPress-to-candidate for Salesforce CRM
CVE-2025-23657
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2025-23492 - WordPress 淘宝客插件 Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
PLUGIN
WordPress 淘宝客插件
CVE-2025-23492
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2025-23428 - QMean – WordPress Did You Mean Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0.
PLUGIN
QMean – WordPress Did You Mean
CVE-2025-23428
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2025-0821 - Bit Assist Plugin
Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Bit Assist
CVE-2025-0821
Risk Score