Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-28
CVE-2024-9933 - Watchtowerhq Plugin
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
PLUGIN
Watchtowerhq
CVE-2024-9933
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-9932 - Wux Blog Editor Plugin
The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wux Blog Editor
CVE-2024-9932
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9931 - Wux Blog Editor Plugin
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user.
PLUGIN
Wux Blog Editor
CVE-2024-9931
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9930 - Sb Core Plugin
The Extensions by HocWP Team plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2.3.2. This is due to missing validation on the user being supplied in the 'verify_email' action. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator. The vulnerability is in the Account extension.
PLUGIN
Sb Core
CVE-2024-9930
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9488 - Wpdiscuz Plugin
The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Wpdiscuz
CVE-2024-9488
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-49322 - WordPress Core
Incorrect Privilege Assignment vulnerability in CodePassenger Job Board Manager for WordPress allows Privilege Escalation.This issue affects Job Board Manager for WordPress: from n/a through 1.0.
CORE
WordPress Core
CVE-2024-49322
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9263 - Wp Timetics Ai Powered Appointment Booking Calendar And Online Scheduling Plugin
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.
PLUGIN
Wp Timetics Ai Powered Appointment Booking Calendar And Online Scheduling
CVE-2024-9263
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9863 - Miniorange Firebase Sms Otp Verification Plugin
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.
PLUGIN
Miniorange Firebase Sms Otp Verification
CVE-2024-9863
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-9862 - Otp Verification With Firebase Plugin
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
PLUGIN
Otp Verification With Firebase
CVE-2024-9862
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9893 - Nextend Facebook Connect Plugin
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Nextend Facebook Connect
CVE-2024-9893
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-49260 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery allows Code Injection.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7.
CORE
WordPress Core
CVE-2024-49260
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4449 - Zoomsounds Plugin
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this.
PLUGIN
Zoomsounds
CVE-2021-4449
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2021-4443 - QuadMenu – Mega Menu Plugin
The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP files that can be used to execute malicious code.
PLUGIN
QuadMenu – Mega Menu
CVE-2021-4443
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-9634 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
PLUGIN
Givewp
CVE-2024-9634
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9105 - Ultimateai Plugin
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Ultimateai
CVE-2024-9105
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-9047 - Wordpress File Upload Plugin
The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier.
PLUGIN
Wordpress File Upload
CVE-2024-9047
Risk Score
Threat Entry
Updated 2024-11-25
CVE-2024-9707 - Hunk Companion Plugin
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PLUGIN
Hunk Companion
CVE-2024-9707
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9234 - Gutenkit Blocks Addon Plugin
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
PLUGIN
Gutenkit Blocks Addon
CVE-2024-9234
Risk Score
Threat Entry
Updated 2024-11-15
CVE-2024-9822 - Pedalo Connector Plugin
The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the 'login_admin_user' function. This makes it possible for unauthenticated attackers to log to the first user, who is usually the administrator, or if it does not exist, then to the first administrator.
PLUGIN
Pedalo Connector
CVE-2024-9822
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9796 - Wp Advanced Search Plugin
The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Wp Advanced Search
CVE-2024-9796
Risk Score