Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-13
CVE-2024-3022 - Bookingpress Plugin
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_process_upload' function in all versions up to, and including 1.0.87. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.
PLUGIN
Bookingpress
CVE-2024-3022
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31103 - Kanban Boards for WordPress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kanban for WordPress Kanban Boards for WordPress allows Reflected XSS.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.
PLUGIN
Kanban Boards for WordPress
CVE-2024-31103
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-3018 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default). This makes it possible for authenticated attackers, with author-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Essential Addons For Elementor
CVE-2024-3018
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2948 - Favorites Plugin
The Favorites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user_favorites' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes such as 'no_favorites'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Favorites
CVE-2024-2948
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-2047 - Elements Kit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Elements Kit Elementor Addons
CVE-2024-2047
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-30478 - Bulletin Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bulletin WordPress Announcement & Notification Banner Plugin – Bulletin.This issue affects WordPress Announcement & Notification Banner Plugin – Bulletin: from n/a through 3.8.5.
PLUGIN
Bulletin
CVE-2024-30478
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2848 - Responsive Plugin
The Responsive theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_footer_text_callback function in all versions up to, and including, 5.0.2. This makes it possible for unauthenticated attackers to inject arbitrary HTML content into the site's footer.
PLUGIN
Responsive
CVE-2024-2848
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-3061 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.5.2 via the 'type' parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2024-3061
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1872 - Button Plugin
The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.28 via deserialization of untrusted input in the button_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Button
CVE-2024-1872
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-0956 - Wp Erp Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter via the erp/v1/accounting/v1/vendors/1/products/ REST route in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin or accounting manager privileges, to append additional SQL queries into already existing queries that can be used to extract…
PLUGIN
Wp Erp
CVE-2024-0956
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-0913 - Wp Erp Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the erp/v1/accounting/v1/transactions/sales REST API endpoint in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied status and customer_id parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with accounting manager or admin privileges and higher to append additional SQL queries into already existing queries that can be used…
PLUGIN
Wp Erp
CVE-2024-0913
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-0608 - Wp Erp Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to union-based SQL Injection via the 'email' parameter in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Erp
CVE-2024-0608
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-0609 - Wp Erp Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_key' parameter in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Erp
CVE-2024-0609
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-34370 - Elementor Plugin
Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates, Brainstorm Force Premium Starter Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4; Premium Starter Templates: from n/a through 3.2.4.
PLUGIN
Elementor
CVE-2023-34370
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-30243 - WordPress Tooltips Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tomas WordPress Tooltips.This issue affects WordPress Tooltips: from n/a before 9.4.5.
PLUGIN
WordPress Tooltips
CVE-2024-30243
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-0672 - Pz Linkcard Plugin
The Pz-LinkCard WordPress plugin through 2.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Pz Linkcard
CVE-2024-0672
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1770 - Meta Tag Manager Plugin
The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.2 via deserialization of untrusted input in the get_post_data function. This makes it possible for authenticated attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Meta Tag Manager
CVE-2024-1770
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-29763 - Wordpress Meta Data And Taxonomies Filter Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Reflected XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-29763
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2024-30201 - Wp Smart Import Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes WordPress Importer allows Reflected XSS.This issue affects WordPress Importer: from n/a through 1.0.4.
PLUGIN
Wp Smart Import
CVE-2024-30201
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-2954 - Action Network Plugin
The Action Network plugin for WordPress is vulnerable to SQL Injection via the 'bulk-action' parameter in version 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Action Network
CVE-2024-2954
Risk Score