Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-24
CVE-2024-4318 - Tutor Lms Plugin
The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor Lms
CVE-2024-4318
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-3643 - Newsletter Popup Plugin
The Newsletter Popup WordPress plugin through 1.2 does not have CSRF check when deleting list, which could allow attackers to make logged in admins perform such action via a CSRF attack
PLUGIN
Newsletter Popup
CVE-2024-3643
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3750 - Tables And Charts Manager For Wordpress Plugin
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on the getQueryData() function in all versions up to, and including, 3.10.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform arbitrary SQL queries that can be leveraged for privilege escalation among many other actions.
PLUGIN
Tables And Charts Manager For Wordpress
CVE-2024-3750
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4670 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.5 via the aiovg_search_form shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
All In One Video Gallery
CVE-2024-4670
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4010 - Email Subscribers By Icegram Express Plugin
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks.
PLUGIN
Email Subscribers By Icegram Express
CVE-2024-4010
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-3406 - Wp Prayer Plugin
The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Prayer
CVE-2024-3406
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3405 - Wp Prayer Plugin
The WP Prayer WordPress plugin through 2.0.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Prayer
CVE-2024-3405
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4847 - Alttext Ai Plugin
The Alt Text AI – Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to generic SQL Injection via the ‘last_post_id’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Alttext Ai
CVE-2024-4847
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4605 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. This is due to the plugin storing custom data in metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to edit this data via UI. As a result they can escalate their privileges or execute arbitrary code.
PLUGIN
Breakdance
CVE-2024-4605
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4441 - Google News Plugin
The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Google News
CVE-2024-4441
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-4397 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Learnpress
CVE-2024-4397
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3954 - Ditty Plugin
The Ditty plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.1.38 via deserialization of untrusted input when adding a new ditty. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Ditty
CVE-2024-3954
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-3940 - Recaptcha Jetpack Plugin
The reCAPTCHA Jetpack WordPress plugin through 0.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Recaptcha Jetpack
CVE-2024-3940
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-3903 - Add Custom Css And Js Plugin
The Add Custom CSS and JS WordPress plugin through 1.20 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in as author and above add Stored XSS payloads via a CSRF attack
PLUGIN
Add Custom Css And Js
CVE-2024-3903
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3828 - Spectra Pro Plugin
The Spectra Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.5. This is due to the plugin allowing lower-privileged users to create registration forms and set the default role to administrator This makes it possible for authenticated attackers, with author-level access and above, to create administrator-level accounts.
PLUGIN
Spectra Pro
CVE-2024-3828
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3809 - Porto Theme Functionality Plugin
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.9 via the 'slideshow_type' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Porto Theme Functionality
CVE-2024-3809
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3808 - Porto Theme Functionality Plugin
The Porto Theme - Functionality plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the 'porto_portfolios' shortcode 'portfolio_layout' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Porto Theme Functionality
CVE-2024-3808
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3807 - Porto Theme
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0…
THEME
Porto
CVE-2024-3807
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-3055 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.102 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Unlimited Elements For Elementor
CVE-2024-3055
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2662 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to command injection in all versions up to, and including, 1.5.102. This is due to insufficient filtering of template attributes during the creation of HTML for custom widgets This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary commands on the server.
PLUGIN
Unlimited Elements For Elementor
CVE-2024-2662
Risk Score