Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-23
CVE-2025-0493 - Multivendorx Plugin
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included
PLUGIN
Multivendorx
CVE-2025-0493
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-13742 - Icontrolwp Plugin
The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on…
PLUGIN
Icontrolwp
CVE-2024-13742
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12822 - Media Manager Plugin
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the add_capto_img() function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Media Manager
CVE-2024-12822
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-13448 - Addons Plugin
The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Addons
CVE-2024-13448
Risk Score
Threat Entry
Updated 2025-06-27
CVE-2025-0357 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-0357
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13545 - Ultimate Bootstrap Elements For Elementor Plugin
The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If php://filter is enabled on the server, this issue may directly lead to Remote Code Execution.
PLUGIN
Ultimate Bootstrap Elements For Elementor
CVE-2024-13545
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2025-23931 - WordPress Local SEO Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound WordPress Local SEO allows Blind SQL Injection. This issue affects WordPress Local SEO: from n/a through 2.3.
PLUGIN
WordPress Local SEO
CVE-2025-23931
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12857 - Adforest Plugin
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.
PLUGIN
Adforest
CVE-2024-12857
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13091 - Wpot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit requires thee ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.
PLUGIN
Wpot
CVE-2024-13091
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13375 - Adifier System Plugin
The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Adifier System
CVE-2024-13375
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-9636 - Post Grid Plugin
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.
PLUGIN
Post Grid
CVE-2024-9636
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-12919 - Membership Content Restriction Paid Member Subscriptions Plugin
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.
PLUGIN
Membership Content Restriction Paid Member Subscriptions
CVE-2024-12919
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-12877 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.2 via deserialization of untrusted input from the donation form like 'firstName'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server that makes remote code execution possible. Please note this was only partially patched in 3.19.3, a fully sufficient patch was not released until 3.19.4. However, another…
PLUGIN
Givewp
CVE-2024-12877
Risk Score
Threat Entry
Updated 2025-06-27
CVE-2024-10215 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.6.4. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
PLUGIN
Wpbookit
CVE-2024-10215
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11642 - Post Grid Master Plugin
The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.4.12 via the 'locate_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other…
PLUGIN
Post Grid Master
CVE-2024-11642
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-11350 - Adforest Plugin
The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the adforest_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Adforest
CVE-2024-11350
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-11635 - Wordpress File Upload Plugin
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server.
PLUGIN
Wordpress File Upload
CVE-2024-11635
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2024-11613 - Wordpress File Upload Plugin
The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_downloader.php' file. This is due to lack of proper sanitization of the 'source' parameter and allowing a user-defined directory path. This makes it possible for unauthenticated attackers to execute code on the server.
PLUGIN
Wordpress File Upload
CVE-2024-11613
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-8855 - Wordpress Auction Plugin
The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks
PLUGIN
Wordpress Auction
CVE-2024-8855
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12470 - Sakolawp Lite Plugin
The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for unauthenticated attackers to register as an administrative user.
PLUGIN
Sakolawp Lite
CVE-2024-12470
Risk Score