Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-21
CVE-2024-0203 - Digits Plugin
The Digits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.4.1. This is due to missing nonce validation in the 'digits_save_settings' function. This makes it possible for unauthenticated attackers to modify the default role of registered users to elevate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Digits
CVE-2024-0203
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-1773 - Pdf Invoices And Packing Slips For Woocommerce Plugin
The PDF Invoices and Packing Slips For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.7 via deserialization of untrusted input via the order_id parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…
PLUGIN
Pdf Invoices And Packing Slips For Woocommerce
CVE-2024-1773
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-1170 - Post Form Plugin
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the handle_deleted_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to delete arbitrary media files.
PLUGIN
Post Form
CVE-2024-1170
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-1169 - Post Form Plugin
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized media upload due to a missing capability check on the buddyforms_upload_handle_dropped_media function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to upload media files.
PLUGIN
Post Form
CVE-2024-1169
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-1382 - Restaurant Reservations Plugin
The Restaurant Reservations plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the nd_rst_layout attribute of the nd_rst_search shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where an uploaded PHP file may not be directly accessible.
PLUGIN
Restaurant Reservations
CVE-2024-1382
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-1731 - Auto Refresh Single Page Plugin
The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arsp_options post meta option. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…
PLUGIN
Auto Refresh Single Page
CVE-2024-1731
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-0825 - Vimeography Plugin
The Vimeography: Vimeo Video Gallery WordPress Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.3.2 via deserialization of untrusted input via the vimeography_duplicate_gallery_serialized in the duplicate_gallery function. This makes it possible for authenticated attackers attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve…
PLUGIN
Vimeography
CVE-2024-0825
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-1859 - Slider Responsive Slideshow Plugin
The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive…
PLUGIN
Slider Responsive Slideshow
CVE-2024-1859
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1468 - Avada Plugin
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Avada
CVE-2024-1468
Risk Score
Threat Entry
Updated 2024-12-31
CVE-2024-1317 - Rss Aggregator By Feedzy Plugin
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Rss Aggregator By Feedzy
CVE-2024-1317
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1206 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to SQL Injection via the 'recipes' parameter in all versions up to, and including, 9.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Recipe Maker
CVE-2024-1206
Risk Score
Threat Entry
Updated 2025-01-19
CVE-2024-1217 - Contact Form Builder Plugin
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
PLUGIN
Contact Form Builder
CVE-2024-1217
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-0702 - Oliver Pos Plugin
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions hooked via AJAX in the includes/class-pos-bridge-install.php file in all versions up to, and including, 2.4.1.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more.
PLUGIN
Oliver Pos
CVE-2024-0702
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-0786 - Conversios Io Plugin
The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ee_syncProductCategory function using the parameters conditionData, valueData, productArray, exclude and include in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access or higher, to append additional SQL queries into already existing queries that can be…
PLUGIN
Conversios Io
CVE-2024-0786
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-7165 - Before 2 Plugin
The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.
PLUGIN
Before 2
CVE-2023-7165
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-6585 - Wp Jobsearch Plugin
The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server
PLUGIN
Wp Jobsearch
CVE-2023-6585
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-6584 - Wp Jobsearch Plugin
The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user's email address.
PLUGIN
Wp Jobsearch
CVE-2023-6584
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1710 - Addon Library Plugin
The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.
PLUGIN
Addon Library
CVE-2024-1710
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1776 - Admin Side Data Storage For Contact Form 7 Plugin
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'form-id' parameter in all versions up to, and including, 1.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Admin Side Data Storage For Contact Form 7
CVE-2024-1776
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-0566 - Smart Manager Plugin
The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Smart Manager
CVE-2024-0566
Risk Score