Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-25
CVE-2024-12826 - Personalize Woocommerce Cart Page Plugin
The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to update limited plugin settings.
PLUGIN
Personalize Woocommerce Cart Page
CVE-2024-12826
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12529 - Brodos Net Onlineshop Plugin
The brodos.net Onlineshop Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'BrodosCategory' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brodos Net Onlineshop
CVE-2024-12529
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12512 - Ask Me Anything Anonymously Plugin
The Ask Me Anything (Anonymously) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'askmeanythingpeople' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ask Me Anything Anonymously
CVE-2024-12512
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-11825 - Broadstreet Plugin
The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘zone’ parameter in all versions up to, and including, 1.50.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Broadstreet
CVE-2024-11825
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12076 - Target Video Easy Publish Plugin
The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the resync_carousel(), seek_snapshot(), uploaded_cc(), and remove_cc() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Target Video Easy Publish
CVE-2024-12076
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-12113 - Youzify Plugin
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_user_review() and delete_review() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's reviews.
PLUGIN
Youzify
CVE-2024-12113
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12600 - Custom Product Tabs Lite For Woocommerce Plugin
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…
PLUGIN
Custom Product Tabs Lite For Woocommerce
CVE-2024-12600
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-10552 - Flexmls Idx Plugin
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_key’ and 'api_secret' parameters in all versions up to, and including, 3.14.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 3.14.25.
PLUGIN
Flexmls Idx
CVE-2024-10552
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-0682 - Addons Plugin
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Addons
CVE-2025-0682
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-13721 - Plethora Tabs Accordions Plugin
The Plethora Plugins Tabs + Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the anchor parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plethora Tabs Accordions
CVE-2024-13721
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-13709 - Linear Plugin
The Linear plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on the 'linear-debug'. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Linear
CVE-2024-13709
Risk Score
Threat Entry
Updated 2025-06-27
CVE-2025-0357 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-0357
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2025-24659 - Premium Packages Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WordPress Download Manager Premium Packages allows Blind SQL Injection. This issue affects Premium Packages: from n/a through 5.9.6.
PLUGIN
Premium Packages
CVE-2025-24659
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2025-24652 - WP Duplicate – WordPress Migration Plugin
Missing Authorization vulnerability in Revmakx WP Duplicate – WordPress Migration Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Duplicate – WordPress Migration Plugin: from n/a through 1.1.6.
PLUGIN
WP Duplicate – WordPress Migration Plugin
CVE-2025-24652
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2025-24588 - Patreon WordPress Plugin
Missing Authorization vulnerability in Patreon Patreon WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Patreon WordPress: from n/a through 1.9.1.
PLUGIN
Patreon WordPress
CVE-2025-24588
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-13698 - Jobify Plugin
The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image_via_ai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application to upload files in an image format, and to generate AI images using the site's OpenAI key.
PLUGIN
Jobify
CVE-2024-13698
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11913 - Activity Plus Reloaded For Buddypress Plugin
The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Activity Plus Reloaded For Buddypress
CVE-2024-11913
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-10324 - Romethemekit For Elementor Plugin
The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-rometheme.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Romethemekit For Elementor
CVE-2024-10324
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13409 - Post Grid Slider Carousel Ultimate Plugin
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' parameter of the post_type_ajax_handler() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images…
PLUGIN
Post Grid Slider Carousel Ultimate
CVE-2024-13409
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13408 - Post Grid Plugin
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' attribute of the `pgcu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php…
PLUGIN
Post Grid
CVE-2024-13408
Risk Score