Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-4347 - Wp Fastest Cache Plugin
The WP Fastest Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.6 via the specificDeleteCache function. This makes it possible for authenticated attackers to delete arbitrary files on the server, which can include wp-config.php files of the affected site or other sites in a shared hosting environment.
PLUGIN
Wp Fastest Cache
CVE-2024-4347
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3594 - Idonate Plugin
The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Idonate
CVE-2024-3594
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4662 - Oxygen Builder Plugin
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
PLUGIN
Oxygen Builder
CVE-2024-4662
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4262 - Piotnet Addons For Elementor Plugin
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Piotnet Addons For Elementor
CVE-2024-4262
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-5031 - Memberpress Plugin
The Memberpress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.11.29 via the 'mepr-user-file' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Memberpress
CVE-2024-5031
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-4157 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…
PLUGIN
Contact Form
CVE-2024-4157
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-2088 - Social Networks Auto Poster Plugin
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.
PLUGIN
Social Networks Auto Poster
CVE-2024-2088
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-3518 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Media Library Assistant
CVE-2024-3518
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2024-4566 - Shoplentor Plugin
The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to "true". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users.
PLUGIN
Shoplentor
CVE-2024-4566
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-4290 - Sailthru Triggermail Plugin
The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Sailthru Triggermail
CVE-2024-4290
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-4709 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subject’ parameter in versions up to, and including, 5.1.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, and access granted by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-4709
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-2782 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This makes it possible for unauthenticated attackers to modify all of the plugin's settings.
PLUGIN
Contact Form
CVE-2024-2782
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3812 - Salient Core Plugin
The Salient Core plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.7 via the 'nectar_icon' shortcode 'icon_linea' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Salient Core
CVE-2024-3812
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3810 - Salient Shortcodes Plugin
The Salient Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.3 via the 'icon' shortcode 'image' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Salient Shortcodes
CVE-2024-3810
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32692 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 6.9.
CORE
WordPress Core
CVE-2024-32692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-47683 - WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin
Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6.
PLUGIN
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
CVE-2023-47683
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4838 - Convertplus Plugin
The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Convertplus
CVE-2024-4838
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-4352 - Tutor Lms Plugin
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to…
PLUGIN
Tutor Lms
CVE-2024-4352
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-4351 - Tutor Lms Plugin
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.
PLUGIN
Tutor Lms
CVE-2024-4351
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-4222 - Tutor Lms Plugin
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
PLUGIN
Tutor Lms
CVE-2024-4222
Risk Score