Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-13
CVE-2024-8529 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Learnpress
CVE-2024-8529
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-8522 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Learnpress
CVE-2024-8522
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8277 - Woocommerce Photo Reviews Plugin
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a…
PLUGIN
Woocommerce Photo Reviews
CVE-2024-8277
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6928 - Opti Marketing Plugin
The Opti Marketing WordPress plugin through 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
PLUGIN
Opti Marketing
CVE-2024-6928
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6924 - Before 1 Plugin
The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
PLUGIN
Before 1
CVE-2024-6924
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7493 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.
PLUGIN
Wpcom Member
CVE-2024-7493
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-8292 - Wp Recall Plugin
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit.
PLUGIN
Wp Recall
CVE-2024-8292
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8289 - Multivendorx Plugin
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
PLUGIN
Multivendorx
CVE-2024-8289
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6926 - Viral Signup Plugin
The Viral Signup WordPress plugin through 2.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Viral Signup
CVE-2024-6926
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7950 - Wp Job Portal Plugin
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where…
PLUGIN
Wp Job Portal
CVE-2024-7950
Risk Score
Threat Entry
Updated 2024-09-03
CVE-2024-8016 - Events Calendar Pro Plugin
The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and…
PLUGIN
Events Calendar Pro
CVE-2024-8016
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-3673 - Web Directory Free Plugin
The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.
PLUGIN
Web Directory Free
CVE-2024-3673
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-7856 - Mp3 Audio Player For Music Radio Podcast Plugin
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.
PLUGIN
Mp3 Audio Player For Music Radio Podcast
CVE-2024-7856
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-7857 - Media Library Folders Plugin
The Media Library Folders plugin for WordPress is vulnerable to second order SQL Injection via the 'sort_type' parameter of the 'mlf_change_sort_type' AJAX action in all versions up to, and including, 8.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Media Library Folders
CVE-2024-7857
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7568 - Favicon Generator Plugin
The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of the plugin to patch this issue and close the plugin, we recommend seeking an alternative to…
PLUGIN
Favicon Generator
CVE-2024-7568
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6386 - Wpml Plugin
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
PLUGIN
Wpml
CVE-2024-6386
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7854 - Woo Inquiry Plugin
The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 0.1 due to insufficient escaping on the user supplied parameter 'dbid' and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woo Inquiry
CVE-2024-7854
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6847 - Chatbot With Chatgpt Plugin
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users when submitting messages to the chatbot.
PLUGIN
Chatbot With Chatgpt
CVE-2024-6847
Risk Score
Threat Entry
Updated 2024-08-26
CVE-2024-7777 - Contact Form Builder Plugin
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in multiple functions in versions 2.0 to 2.13.9. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Contact Form Builder
CVE-2024-7777
Risk Score
Threat Entry
Updated 2024-08-26
CVE-2024-5932 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
PLUGIN
Givewp
CVE-2024-5932
Risk Score