Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-27
CVE-2024-6330 - Before 4 Plugin
The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.
PLUGIN
Before 4
CVE-2024-6330
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6459 - News Element Elementor Blog Magazine Plugin
The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
News Element Elementor Blog Magazine
CVE-2024-6459
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-6500 - Inpost For Woocommerce Plugin
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
PLUGIN
Inpost For Woocommerce
CVE-2024-6500
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6460 - Grow Plugin
The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Grow
CVE-2024-6460
Risk Score
Threat Entry
Updated 2024-08-13
CVE-2024-7094 - Js Support Ticket Plugin
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially patched in 2.8.6 when the code injection issue was resolved, and fully…
PLUGIN
Js Support Ticket
CVE-2024-7094
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-7503 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code in the 'woo_slg_confirm_email_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the userID. This requires the email module to be enabled.
PLUGIN
Woocommerce Social Login
CVE-2024-7503
Risk Score
Threat Entry
Updated 2024-08-08
CVE-2024-7350 - Bookingpress Appointment Booking Plugin
The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.
PLUGIN
Bookingpress Appointment Booking
CVE-2024-7350
Risk Score
Threat Entry
Updated 2024-08-05
CVE-2024-7257 - Woocommerce Extra Product Options Plugin
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Extra Product Options
CVE-2024-7257
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-5975 - Cz Loan Management Plugin
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Cz Loan Management
CVE-2024-5975
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2024-5765 - Wpstickybar Plugin
The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Wpstickybar
CVE-2024-5765
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6366 - User Profile Builder Plugin
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
PLUGIN
User Profile Builder
CVE-2024-6366
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-6636 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account.
PLUGIN
Woocommerce Social Login
CVE-2024-6636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6205 - Payplus Payment Gateway Plugin
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.
PLUGIN
Payplus Payment Gateway
CVE-2024-6205
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6164 - Before 2 Plugin
The Filter & Grids WordPress plugin before 2.8.33 is vulnerable to Local File Inclusion via the post_layout parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Before 2
CVE-2024-6164
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6220 - Keydatas Plugin
The 简数采集器 (Keydatas) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the keydatas_downloadImages function in all versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Keydatas
CVE-2024-6220
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-6457 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2024-6457
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-5450 - Before 2 Plugin
The Bug Library WordPress plugin before 2.1.1 does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files
PLUGIN
Before 2
CVE-2024-5450
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-6328 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is…
PLUGIN
Mstore Api
CVE-2024-6328
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6624 - Json Api User Plugin
The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed.
PLUGIN
Json Api User
CVE-2024-6624
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6397 - Instawp Connect Plugin
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
PLUGIN
Instawp Connect
CVE-2024-6397
Risk Score