Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-05
CVE-2024-11024 - Apppresser Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.6. This is due to the plugin not properly validating a user's password reset code prior to updating their password. This makes it possible for unauthenticated attackers, with knowledge of a user's email address, to reset the user's password and gain access to their account.
PLUGIN
Apppresser
CVE-2024-11024
Risk Score
Threat Entry
Updated 2025-07-12
CVE-2024-10542 - Anti Spam Plugin
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PLUGIN
Anti Spam
CVE-2024-10542
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-9942 - Wordpress Gym Management System Plugin
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wordpress Gym Management System
CVE-2024-9942
Risk Score
Threat Entry
Updated 2025-07-12
CVE-2024-9659 - School Management System Plugin
The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_user_avatar_image_upload() function in all versions up to, and including, 91.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
School Management System
CVE-2024-9659
Risk Score
Threat Entry
Updated 2024-11-23
CVE-2024-9511 - Fluent Smtp Plugin
The FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.82 via deserialization of untrusted input in the 'formatResult' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary…
PLUGIN
Fluent Smtp
CVE-2024-9511
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10961 - Oa Social Login Plugin
The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Oa Social Login
CVE-2024-10961
Risk Score
Threat Entry
Updated 2024-11-20
CVE-2024-52431 - Wordpress Video Robot Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pressaholic WordPress Video Robot - The Ultimate Video Importer allows SQL Injection.This issue affects WordPress Video Robot - The Ultimate Video Importer: from n/a through 1.20.0.
PLUGIN
Wordpress Video Robot
CVE-2024-52431
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-52408 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Team PushAssist Push Notifications for WordPress by PushAssist allows Upload a Web Shell to a Web Server.This issue affects Push Notifications for WordPress by PushAssist: from n/a through 3.0.8.
CORE
WordPress Core
CVE-2024-52408
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-8856 - Backup And Staging By Wp Time Capsule Plugin
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Backup And Staging By Wp Time Capsule
CVE-2024-8856
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-10924 - Really Simple Security Plugin
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
PLUGIN
Really Simple Security
CVE-2024-10924
Risk Score
Threat Entry
Updated 2024-11-15
CVE-2024-52370 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support – WordPress Help Desk allows Upload a Web Shell to a Web Server.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.1.
CORE
WordPress Core
CVE-2024-52370
Risk Score
Threat Entry
Updated 2024-11-15
CVE-2024-52376 - Stricted Upload Of File With Dangerous Type Vulnerability In Cmsminds Boat Rental Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress allows Upload a Web Shell to a Web Server.This issue affects Boat Rental Plugin for WordPress: from n/a through 1.0.1.
PLUGIN
Stricted Upload Of File With Dangerous Type Vulnerability In Cmsminds Boat Rental
CVE-2024-52376
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10571 - Chartify Plugin
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Chartify
CVE-2024-10571
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-11028 - Multimanager Wp Plugin
The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.
PLUGIN
Multimanager Wp
CVE-2024-11028
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-11150 - User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 16.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
User Extra Fields
CVE-2024-11150
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10820 - Woocommerce Upload Files Plugin
The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Upload Files
CVE-2024-10820
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10245 - Relais 2fa Plugin
The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the 'rl_do_ajax' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Relais 2fa
CVE-2024-10245
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10871 - Category Ajax Filter Plugin
The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files with a .php extension can be uploaded and included.
PLUGIN
Category Ajax Filter
CVE-2024-10871
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10801 - Wordpress User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 16.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. User registration must be enabled for this to be exploited.
PLUGIN
Wordpress User Extra Fields
CVE-2024-10801
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10589 - Leopard Wordpress Offload Media Plugin
The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Leopard Wordpress Offload Media
CVE-2024-10589
Risk Score