Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-07
CVE-2025-2941 - Drag And Drop Multiple File Upload For Woocommerce Plugin
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Drag And Drop Multiple File Upload For Woocommerce
CVE-2025-2941
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2798 - Woffice Plugin
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
PLUGIN
Woffice
CVE-2025-2798
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-13645 - Tagdiv Composer Plugin
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform…
PLUGIN
Tagdiv Composer
CVE-2024-13645
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-2005 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Front End Users
CVE-2025-2005
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2237 - Wp Realestate Plugin
The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
PLUGIN
Wp Realestate
CVE-2025-2237
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-13553 - Sms Alert Order Notifications Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
PLUGIN
Sms Alert Order Notifications
CVE-2024-13553
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2266 - Checkout Mestres Wp Plugin
The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Checkout Mestres Wp
CVE-2025-2266
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2294 - Kubio AI Page Builder Theme
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
Kubio AI Page Builder
CVE-2025-2294
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2332 - Export All Posts, Products, Orders, Refunds & Users Plugin
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Export All Posts, Products, Orders, Refunds & Users
CVE-2025-2332
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1446 - Before 3 Plugin
The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-1446
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-2505 - Age Gate Plugin
The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Age Gate
CVE-2025-2505
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2512 - File Away Plugin
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
File Away
CVE-2025-2512
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13442 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.
PLUGIN
Service Finder Bookings
CVE-2024-13442
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13790 - High Converting Ecommerce Wordpress Theme
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
High Converting Ecommerce Wordpress Theme
CVE-2024-13790
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13410 - WordPress Core
The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via…
CORE
WordPress Core
CVE-2024-13410
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12922 - Altair Theme
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Altair
CVE-2024-12922
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1771 - Traveler Plugin
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Traveler
CVE-2025-1771
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-2232 - Realteo Plugin
The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
PLUGIN
Realteo
CVE-2025-2232
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-13771 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.
PLUGIN
Civi
CVE-2024-13771
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13824 - Ciyashop Plugin
The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…
PLUGIN
Ciyashop
CVE-2024-13824
Risk Score