Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-0866 - check_and_log_email Plugin
The Check & Log Email plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 1.0.9 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.
PLUGIN
check_and_log_email
CVE-2024-0866
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2024-28850 - Wp Crontrol Plugin
WP Crontrol controls the cron events on WordPress websites. WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This is exploitable on a site if one of the below preconditions…
PLUGIN
Wp Crontrol
CVE-2024-28850
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-1962 - Cm Download Manager Plugin
The CM Download Manager WordPress plugin before 2.9.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack
PLUGIN
Cm Download Manager
CVE-2024-1962
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2025 - BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages Plugin
The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages
CVE-2024-2025
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1538 - File Manager Plugin
The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully…
PLUGIN
File Manager
CVE-2024-1538
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2459 - Ux Flat Plugin
The UX Flat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ux Flat
CVE-2024-2459
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-1205 - Wemanage Plugin
The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wemanage
CVE-2024-1205
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0856 - Appointment Booking Calendar Plugin
The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.
PLUGIN
Appointment Booking Calendar
CVE-2024-0856
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1983 - Simple Ajax Chat Plugin
The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.
PLUGIN
Simple Ajax Chat
CVE-2024-1983
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-1799 - Gamipress Plugin
The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the 'achievement_types' attribute of the gamipress_earnings shortcode in all versions up to, and including, 6.8.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the…
PLUGIN
Gamipress
CVE-2024-1799
Risk Score
Threat Entry
Updated 2026-01-28
CVE-2024-29142 - Better Search Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebberZone Better Search – Relevant search results for WordPress allows Stored XSS.This issue affects Better Search – Relevant search results for WordPress: from n/a through 3.3.0.
PLUGIN
Better Search
CVE-2024-29142
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0858 - Innovs Hr Plugin
The Innovs HR WordPress plugin through 1.0.3.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding them as employees.
PLUGIN
Innovs Hr
CVE-2024-0858
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-0780 - Enjoy Social Feed Plugin
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation when resetting its database, allowing any authenticated users, such as subscriber to perform such action
PLUGIN
Enjoy Social Feed
CVE-2024-0780
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0779 - Enjoy Social Feed Plugin
The Enjoy Social Feed plugin for WordPress website WordPress plugin through 6.2.2 does not have authorisation and CSRF in various function hooked to admin_init, allowing unauthenticated users to call them and unlink arbitrary users Instagram Account for example
PLUGIN
Enjoy Social Feed
CVE-2024-0779
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-1685 - Social Media Share Buttons Plugin
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Social Media Share Buttons
CVE-2024-1685
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-1795 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode in all versions up to, and including, 1.3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2024-1795
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2194 - Wp Statistics Plugin
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Statistics
CVE-2024-2194
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-2020 - Calculated Fields Form Plugin
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.
PLUGIN
Calculated Fields Form
CVE-2024-2020
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-2006 - Post Grid Slider Carousel Ultimate Plugin
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Post Grid Slider Carousel Ultimate
CVE-2024-2006
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1951 - Logo Showcase Ultimate Plugin
The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive…
PLUGIN
Logo Showcase Ultimate
CVE-2024-1951
Risk Score