Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-10
CVE-2024-13010 - Wp Foodbakery Plugin
The WP Foodbakery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on the 'search_type' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Foodbakery
CVE-2024-13010
Risk Score
Threat Entry
Updated 2025-02-13
CVE-2024-13440 - Super Store Finder Plugin
The Super Store Finder plugin for WordPress is vulnerable to SQL Injection via the ‘ssf_wp_user_name’ parameter in all versions up to, and including, 7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into an already existing query to store cross-site scripting in store reviews.
PLUGIN
Super Store Finder
CVE-2024-13440
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2025-0169 - Dwt Listing Plugin
The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dwt Listing
CVE-2025-0169
Risk Score
Threat Entry
Updated 2025-02-08
CVE-2025-0316 - Wp Directorybox Manager Plugin
The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Wp Directorybox Manager
CVE-2025-0316
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13850 - Simple Add Pages Or Posts Plugin
The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Simple Add Pages Or Posts
CVE-2024-13850
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7425 - Wp All Export Plugin
The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Wp All Export
CVE-2024-7425
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7419 - Wp All Export Plugin
The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise. As a prerequisite, the custom export field should include fields containing user-supplied data.
PLUGIN
Wp All Export
CVE-2024-7419
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-9664 - Wp All Import Plugin
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Wp All Import
CVE-2024-9664
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-9661 - Wp All Import Pro Plugin
The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp All Import Pro
CVE-2024-9661
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2025-25077 - Easy Chart Builder for WordPress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugbug Easy Chart Builder for WordPress allows Stored XSS. This issue affects Easy Chart Builder for WordPress: from n/a through 1.3.
PLUGIN
Easy Chart Builder for WordPress
CVE-2025-25077
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-13841 - Builder Shortcode Extras Plugin
The Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the 'bse-elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to.
PLUGIN
Builder Shortcode Extras
CVE-2024-13841
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13492 - Guten Free Options Plugin
The Guten Free Options WordPress plugin through 0.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Guten Free Options
CVE-2024-13492
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-13352 - Legull Plugin
The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Legull
CVE-2024-13352
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2025-1061 - Nextend Social Login Pro Plugin
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Nextend Social Login Pro
CVE-2025-1061
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-0859 - Post And Page Builder Plugin
The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Post And Page Builder
CVE-2025-0859
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13487 - Woo Multi Currency Plugin
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Woo Multi Currency
CVE-2024-13487
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-0522 - Likebot Plugin
The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Likebot
CVE-2025-0522
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13829 - Tripetto Plugin
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the 'attachments.php' file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.
PLUGIN
Tripetto
CVE-2024-13829
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2025-1028 - Contact Manager Plugin
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
PLUGIN
Contact Manager
CVE-2025-1028
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13699 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.8.5, 1.8.6, and 1.8.7.
PLUGIN
Qi Addons For Elementor
CVE-2024-13699
Risk Score