Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-07
CVE-2024-12264 - Payu India Plugin
The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.
PLUGIN
Payu India
CVE-2024-12264
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12252 - Seo Beginner Auto Post Plugin
The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.
PLUGIN
Seo Beginner Auto Post
CVE-2024-12252
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12402 - Tc Ecommerce Plugin
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Tc Ecommerce
CVE-2024-12402
Risk Score
Threat Entry
Updated 2025-01-04
CVE-2024-12583 - Dynamics 365 Integration Plugin
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
PLUGIN
Dynamics 365 Integration
CVE-2024-12583
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-11972 - Hunk Companion Plugin
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.
PLUGIN
Hunk Companion
CVE-2024-11972
Risk Score
Threat Entry
Updated 2024-12-25
CVE-2024-11281 - Woocommerce Point Of Sale Plugin
The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account.
PLUGIN
Woocommerce Point Of Sale
CVE-2024-11281
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-11349 - Adforest Plugin
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.
PLUGIN
Adforest
CVE-2024-11349
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-12571 - Store Locator Plugin
The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Store Locator
CVE-2024-12571
Risk Score
Threat Entry
Updated 2024-12-19
CVE-2024-12626 - Custom Integrations In Wordpress Plugin
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability…
PLUGIN
Custom Integrations In Wordpress
CVE-2024-12626
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12287 - Biagiotti Membership Plugin
The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, such as administrators, granted they have access to an email.
PLUGIN
Biagiotti Membership
CVE-2024-12287
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-9290 - Clone Migrate For Wordpress Plugin
The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Clone Migrate For Wordpress
CVE-2024-9290
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-10124 - Vayu Blocks Plugin
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.
PLUGIN
Vayu Blocks
CVE-2024-10124
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11015 - Sign In With Google Plugin
The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.
PLUGIN
Sign In With Google
CVE-2024-11015
Risk Score
Threat Entry
Updated 2024-12-08
CVE-2024-12209 - Wp Health Plugin
The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Wp Health
CVE-2024-12209
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-51615 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7.
CORE
WordPress Core
CVE-2024-51615
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12155 - Sv100 Companion Plugin
The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Sv100 Companion
CVE-2024-12155
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-8672 - Widget Options Plugin
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of…
PLUGIN
Widget Options
CVE-2024-8672
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11103 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Contest Gallery
CVE-2024-11103
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11082 - Tumult Hype Animations Plugin
The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Tumult Hype Animations
CVE-2024-11082
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11925 - Jobsearch Wp Job Board Plugin
The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.
PLUGIN
Jobsearch Wp Job Board
CVE-2024-11925
Risk Score