Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-09
CVE-2024-13708 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in versions 4.0.1 to 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Booster For Woocommerce
CVE-2024-13708
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2075 - Uncanny Automator Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to add_role() and user_role() functions missing proper capability checks performed through the validate_rest_call() function. This makes it possible for unauthenticated attackers to set the role of arbitrary users to administrator granting full access to the site, though privilege escalation requires an active account on the site so this is considered an authenticated privilege escalation.
PLUGIN
Uncanny Automator
CVE-2025-2075
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13744 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validate_product_input_fields_on_add_to_cart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Booster For Woocommerce
CVE-2024-13744
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-3063 - Shopperapproved Reviews Plugin
The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Shopperapproved Reviews
CVE-2025-3063
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-31441 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in S WordPress Galleria allows Reflected XSS. This issue affects WordPress Galleria: from n/a through 1.4.
CORE
WordPress Core
CVE-2025-31441
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2891 - Real Estate 7 Wordpress Theme
The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled.
THEME
Real Estate 7 Wordpress
CVE-2025-2891
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-12278 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via any location that typically sanitizes data using wp_kses, like comments, in all versions up to, and including, 7.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booster For Woocommerce
CVE-2024-12278
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-30796 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended allows Reflected XSS. This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through 3.0.14.
CORE
WordPress Core
CVE-2025-30796
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-30559 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Kento WordPress Stats allows Stored XSS. This issue affects Kento WordPress Stats: from n/a through 1.1.
CORE
WordPress Core
CVE-2025-30559
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-13567 - Awesome Support Plugin
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/awesome-support directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 6.3.1.
PLUGIN
Awesome Support
CVE-2024-13567
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2008 - Import Export Suite For Csv And Xml Datafeed Plugin
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Import Export Suite For Csv And Xml Datafeed
CVE-2025-2008
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2007 - Import Export Suite For Csv And Xml Datafeed Plugin
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Import Export Suite For Csv And Xml Datafeed
CVE-2025-2007
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31616 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in AdminGeekZ Varnish WordPress allows Cross Site Request Forgery. This issue affects Varnish WordPress: from n/a through 1.7.
CORE
WordPress Core
CVE-2025-31616
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31585 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in leadfox Leadfox for WordPress allows Cross Site Request Forgery. This issue affects Leadfox for WordPress: from n/a through 2.1.8.
CORE
WordPress Core
CVE-2025-31585
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31569 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in wp-buy wordpress related Posts with thumbnails allows Stored XSS. This issue affects wordpress related Posts with thumbnails: from n/a through 3.0.0.1.
CORE
WordPress Core
CVE-2025-31569
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31547 - This Issue Affects Uptime Robot Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aphotrax Uptime Robot Plugin for WordPress allows SQL Injection. This issue affects Uptime Robot Plugin for WordPress: from n/a through 2.3.
PLUGIN
This Issue Affects Uptime Robot
CVE-2025-31547
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2803 - So Called Air Quotes Plugin
The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
So Called Air Quotes
CVE-2025-2803
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2249 - Soj Soundslides Plugin
The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Soj Soundslides
CVE-2025-2249
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2006 - Image Upload For Bbpress Plugin
The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
PLUGIN
Image Upload For Bbpress
CVE-2025-2006
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2815 - Administrator Z Plugin
The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Administrator Z
CVE-2025-2815
Risk Score