Threat Entry Updated 2025-04-24

CVE-2023-6294 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

PLUGIN Popup Builder

CVE-2023-6294

HIGH CVSS 7.2 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-24926 - Creative Multi Purpose Responsive Theme

Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

THEME Creative Multi Purpose Responsive

CVE-2024-24926

HIGH CVSS 7.5 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-24796 - Event Manager And Tickets Selling For Woocommerce Plugin

Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin.This issue affects Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin: from n/a through 4.1.1.

PLUGIN Event Manager And Tickets Selling For Woocommerce

CVE-2024-24796

HIGH CVSS 8.2 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-24927 - Allows Reflected Xss Theme

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme allows Reflected XSS.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

THEME Allows Reflected Xss

CVE-2024-24927

HIGH CVSS 7.1 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0594 - Awesome Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Awesome Support

CVE-2024-0594

HIGH CVSS 8.8 2024-02-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0842 - Backuply Plugin

The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 1.2.5. This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.

PLUGIN Backuply

CVE-2024-0842

HIGH CVSS 7.5 2024-02-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-12-17

CVE-2024-24881 - Wp Sms Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc allows Reflected XSS.This issue affects WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc: from n/a through 6.5.2.

PLUGIN Wp Sms

CVE-2024-24881

HIGH CVSS 7.1 2024-02-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1118 - Podlove Subscribe Button Plugin

The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the 'button' attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Podlove Subscribe Button

CVE-2024-1118

HIGH CVSS 8.8 2024-02-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1072 - Website Builder By Seedprod Plugin

The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but introduces a bug affecting admin pages. We suggest upgrading to 6.15.23.

PLUGIN Website Builder By Seedprod

CVE-2024-1072

HIGH CVSS 8.2 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0869 - Instant Images One Click Unsplash Uploads Plugin

The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.

PLUGIN Instant Images One Click Unsplash Uploads

CVE-2024-0869

HIGH CVSS 8.8 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-03-24

CVE-2024-0761 - File Manager Plugin

The File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.2.1 due to insufficient randomness in the backup filenames, which use a timestamp plus 4 random digits. This makes it possible for unauthenticated attackers, to extract sensitive data including site backups in configurations where the .htaccess file in the directory does not block access.

PLUGIN File Manager

CVE-2024-0761

HIGH CVSS 8.1 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0428 - Index Now Plugin

The Index Now plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.3. This is due to missing or incorrect nonce validation on the 'reset_form' function. This makes it possible for unauthenticated attackers to delete arbitrary site options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Index Now

CVE-2024-0428

HIGH CVSS 7.1 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2024-0324 - Profile Builder Plugin

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.

PLUGIN Profile Builder

CVE-2024-0324

HIGH CVSS 8.2 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6996 - Display Custom Fields In The Frontend Post And User Profile Fields Plugin

The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code.

PLUGIN Display Custom Fields In The Frontend Post And User Profile Fields

CVE-2023-6996

HIGH CVSS 8.8 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2023-6925 - Unlimited Addons For Wpbakery Page Builder Plugin

The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Unlimited Addons For Wpbakery Page Builder

CVE-2023-6925

HIGH CVSS 7.2 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6846 - File Manager Plugin

The File Manager Pro plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 8.3.4 via the mk_check_filemanager_php_syntax AJAX function. This makes it possible for authenticated attackers, with subscriber access and above, to execute code on the server. Version 8.3.5 introduces a capability check that prevents users lower than admin from executing this function.

PLUGIN File Manager

CVE-2023-6846

HIGH CVSS 8.8 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6700 - Wp Gdpr Compliance Plugin

The Cookie Information | Free GDPR Consent Solution plugin for WordPress is vulnerable to arbitrary option updates due to a missing capability check on its AJAX request handler in versions up to, and including, 2.0.22. This makes it possible for authenticated attackers, with subscriber-level access or higher, to edit arbitrary site options which can be used to create administrator accounts.

PLUGIN Wp Gdpr Compliance

CVE-2023-6700

HIGH CVSS 8.8 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2023-6635 - Editorskit Plugin

The EditorsKit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'import_styles' function in versions up to, and including, 1.40.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Editorskit

CVE-2023-6635

HIGH CVSS 7.2 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-22159 - Wolf Wordpress Posts Bulk Editor And Products Manager Professional Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional allows Reflected XSS.This issue affects WOLF – WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.

PLUGIN Wolf Wordpress Posts Bulk Editor And Products Manager Professional

CVE-2024-22159

HIGH CVSS 7.1 2024-01-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-23508 - Pdf Poster Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poster – PDF Embedder Plugin for WordPress allows Reflected XSS.This issue affects PDF Poster – PDF Embedder Plugin for WordPress: from n/a through 2.1.17.

PLUGIN Pdf Poster

CVE-2024-23508

HIGH CVSS 7.1 2024-01-31

Risk Score

Open Full Technical Breakdown