Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-25
CVE-2024-9193 - Whmcs Plugin
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers…
PLUGIN
Whmcs
CVE-2024-9193
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-8425 - Woocommerce Ultimate Gift Card Plugin
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Ultimate Gift Card
CVE-2024-8425
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-8420 - Dhvc Form Plugin
The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.
PLUGIN
Dhvc Form
CVE-2024-8420
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1128 - Everest Forms Plugin
The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
PLUGIN
Everest Forms
CVE-2025-1128
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13789 - Ravpage Plugin
The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may…
PLUGIN
Ravpage
CVE-2024-13789
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-12860 - Carspot Plugin
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Carspot
CVE-2024-12860
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13725 - Keap Official Opt In Forms Plugin
The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If register_argc_argv is enabled on the server and pearcmd.php is installed, this issue might lead…
PLUGIN
Keap Official Opt In Forms
CVE-2024-13725
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-12562 - S2member Plugin
The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
S2member
CVE-2024-12562
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13513 - Oliver Pos Plugin
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
PLUGIN
Oliver Pos
CVE-2024-13513
Risk Score
Threat Entry
Updated 2025-02-13
CVE-2024-13182 - Wp Directorybox Manager Plugin
The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.
PLUGIN
Wp Directorybox Manager
CVE-2024-13182
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-10763 - Campress Plugin
The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Campress
CVE-2024-10763
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2024-10960 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Brizy
CVE-2024-10960
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13365 - Security Malware Scan Plugin
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to arbitrary file uploads due to the plugin uploading and extracting .zip archives when scanning them for malware through the checkUploadedArchive() function in all versions up to, and including, 2.149. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Security Malware Scan
CVE-2024-13365
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2024-12213 - Superio Plugin
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites.
PLUGIN
Superio
CVE-2024-12213
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13421 - Real Estate 7 Plugin
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to register a new administrative user account.
PLUGIN
Real Estate 7
CVE-2024-13421
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2025-0181 - Wp Foodbakery Plugin
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
PLUGIN
Wp Foodbakery
CVE-2025-0181
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2025-0180 - Wp Foodbakery Plugin
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.
PLUGIN
Wp Foodbakery
CVE-2025-0180
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-13011 - Wp Foodbakery Plugin
The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wp Foodbakery
CVE-2024-13011
Risk Score
Threat Entry
Updated 2025-02-08
CVE-2025-0316 - Wp Directorybox Manager Plugin
The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Wp Directorybox Manager
CVE-2025-0316
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2025-1061 - Nextend Social Login Pro Plugin
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Nextend Social Login Pro
CVE-2025-1061
Risk Score