Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-15
CVE-2024-9518 - Userplus Plugin
The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.
PLUGIN
Userplus
CVE-2024-9518
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2024-8943 - Latepoint Plugin
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability…
PLUGIN
Latepoint
CVE-2024-8943
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2024-8911 - Latepoint Plugin
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note that changing a WordPress user's password is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. Without this setting enabled, only…
PLUGIN
Latepoint
CVE-2024-8911
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9289 - Affiliate Pro Plugin
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
PLUGIN
Affiliate Pro
CVE-2024-9289
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9265 - Echo Rss Feed Post Generator Plugin
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator.
PLUGIN
Echo Rss Feed Post Generator
CVE-2024-9265
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9108 - Wechat Social Login Plugin
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wechat Social Login
CVE-2024-9108
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9106 - Wechat Social Login Plugin
The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.
PLUGIN
Wechat Social Login
CVE-2024-9106
Risk Score
Threat Entry
Updated 2024-10-01
CVE-2024-8353 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input via several parameters like 'give_title' and 'card_address'. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files and achieve remote code execution. This is essentially the same vulnerability as CVE-2024-5932, however, it was discovered the the presence of stripslashes_deep on user_info allows the is_serialized check…
PLUGIN
Givewp
CVE-2024-8353
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7772 - Jupiter X Core Plugin
The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file uploads due to a mishandled file type validation in the 'validate' function in all versions up to, and including, 4.6.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Jupiter X Core
CVE-2024-7772
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8275 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have manually added tribe_has_next_event() will be vulnerable to this SQL injection.
PLUGIN
The Events Calendar
CVE-2024-8275
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8514 - Google Website Translator Plugin
The Prisna GWT – Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the 'prisna_import' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…
PLUGIN
Google Website Translator
CVE-2024-8514
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7385 - Wordpress Simple Html Sitemap Plugin
The WordPress Simple HTML Sitemap plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wordpress Simple Html Sitemap
CVE-2024-7385
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8621 - Daily Prayer Time Plugin
The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Daily Prayer Time
CVE-2024-8621
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8485 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
PLUGIN
Rest Api To Miniprogram
CVE-2024-8485
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2024-8436 - Wp Easy Gallery Plugin
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'edit_imageId' and 'edit_imageDelete' parameters in all versions up to, and including, 4.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Easy Gallery
CVE-2024-8436
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8791 - Charitable Plugin
The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14. This is due to the plugin not properly verifying a user's identity when the ID parameter is supplied through the update_core_user() function. This makes it possible for unauthenticated attackers to update the email address and password of arbitrary user accounts, including administrators, which can then be used to log in to those user accounts.
PLUGIN
Charitable
CVE-2024-8791
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8671 - Wooevents Plugin
The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php file in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to overwrite arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wooevents
CVE-2024-8671
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8624 - Wordpress Meta Data And Taxonomies Filter Plugin
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' attribute of the 'mdf_select_title' shortcode in all versions up to, and including, 1.3.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-8624
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8853 - Webo Facto Plugin
The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'.
PLUGIN
Webo Facto
CVE-2024-8853
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8669 - Backuply Plugin
The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter passed to the backuply_wp_clone_sql() function in all versions up to, and including, 1.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Backuply
CVE-2024-8669
Risk Score