Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-08
CVE-2024-11286 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
PLUGIN
Jobcareer
CVE-2024-11286
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11285 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11285
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11284 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11284
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13446 - Workreap Plugin
The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was…
PLUGIN
Workreap
CVE-2024-13446
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-1661 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2025-1661
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-0177 - Javo Core Plugin
The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
PLUGIN
Javo Core
CVE-2025-0177
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-1315 - Injob Plugin
The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Injob
CVE-2025-1315
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-12876 - Golo Plugin
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Golo
CVE-2024-12876
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2025-1475 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
PLUGIN
Wpcom Member
CVE-2025-1475
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12281 - Homey Theme
The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.
THEME
Homey
CVE-2024-12281
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-11951 - Homey Login Register Plugin
The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
PLUGIN
Homey Login Register
CVE-2024-11951
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1515 - Wp Real Estate Manager Plugin
The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators.
PLUGIN
Wp Real Estate Manager
CVE-2025-1515
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13787 - Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin…
THEME
Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
CVE-2024-13787
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1307 - Newscrunch Plugin
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Newscrunch
CVE-2025-1307
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0912 - Givewp Plugin
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
PLUGIN
Givewp
CVE-2025-0912
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1671 - Academist Membership Theme
The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
THEME
Academist Membership
CVE-2025-1671
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1638 - Alloggio Membership Theme
The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.
THEME
Alloggio Membership
CVE-2025-1638
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1564 - SetSail Membership Theme
The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.
THEME
SetSail Membership
CVE-2025-1564
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-12824 - Job Board Wordpress Theme
The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
THEME
Job Board Wordpress Theme
CVE-2024-12824
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-9193 - Whmcs Plugin
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers…
PLUGIN
Whmcs
CVE-2024-9193
Risk Score