Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-05
CVE-2024-2441 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's they shouldn't be allowed to.
PLUGIN
Before 1
CVE-2024-2441
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2290 - Advanced Ads Plugin
The Advanced Ads plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.52.1 via deserialization of untrusted input in the 'placement_slug' parameter. This makes it possible for authenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Advanced Ads
CVE-2024-2290
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-3756 - Mf Gig Calendar Plugin
The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
PLUGIN
Mf Gig Calendar
CVE-2024-3756
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3240 - Convertplug Plugin
The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Convertplug
CVE-2024-3240
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2024-4439 - WordPress Core
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
CORE
WordPress Core
CVE-2024-4439
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4097 - Cost Calculator Builder Plugin
The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 3.1.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cost Calculator Builder
CVE-2024-4097
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4033 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
All In One Video Gallery
CVE-2024-4033
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-3895 - Wp Datepicker Plugin
The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1.
PLUGIN
Wp Datepicker
CVE-2024-3895
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3849 - Click To Chat For Whatsapp Plugin
The Click to Chat – HoliThemes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.35. This makes it possible for authenticated attackers, with contributor access or above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Click To Chat For Whatsapp
CVE-2024-3849
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3715 - Elementor Forms Plugin
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Forms
CVE-2024-3715
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-3500 - Elementskit Plugin
The ElementsKit Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.0 via the Price Menu, Hotspot, and Advanced Toggle widgets. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Elementskit
CVE-2024-3500
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-3499 - Elements Kit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.0 via the generate_navigation_markup function of the Onepage Scroll module. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Elements Kit Elementor Addons
CVE-2024-3499
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-3047 - Woocommerce Pdf Invoices Packing Slips Plugin
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.8.0 via the transform() function. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Woocommerce Pdf Invoices Packing Slips
CVE-2024-3047
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-3045 - Woocommerce Pdf Invoices Packing Slips Plugin
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce Pdf Invoices Packing Slips
CVE-2024-3045
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2831 - Calendar Plugin
The Calendar plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcodes in all versions up to, and including, 1.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Calendar
CVE-2024-2831
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2661 - Barcode Scanner Lite Pos To Manage Products Inventory And Orders Plugin
The Barcode Scanner and Inventory manager. POS (Point of Sale) – scan barcodes & create orders with barcode reader. plugin for WordPress is vulnerable to blind SQL Injection via the ‘currentIds’ parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the…
PLUGIN
Barcode Scanner Lite Pos To Manage Products Inventory And Orders
CVE-2024-2661
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2417 - And User Profile Plugin
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the form_save_action() function in all versions up to, and including, 3.1.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the registration form and make the default registration role administrator. This subsequently allows the attacker to register an account as an administrator on the site.
PLUGIN
And User Profile
CVE-2024-2417
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-2082 - Eleforms Plugin
The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 2.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Eleforms
CVE-2024-2082
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1897 - New Grid Gallery Plugin
The Grid Gallery – Photo Image Grid Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization via shortcode of untrusted input from the awl_gg_settings_ meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve…
PLUGIN
New Grid Gallery
CVE-2024-1897
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1896 - New Photo Gallery Plugin
The Photo Gallery – Responsive Photo Gallery, Image Gallery, Portfolio Gallery, Logo Gallery And Team Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.1 via deserialization via shortcode of untrusted input from the 'awl_lg_settings_' attribute. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow…
PLUGIN
New Photo Gallery
CVE-2024-1896
Risk Score