Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-18
CVE-2024-12563 - S2member Pro Plugin
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
PLUGIN
S2member Pro
CVE-2024-12563
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2025-2262 - Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation Plugin
The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
CVE-2025-2262
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-2325 - Wp Test Email Plugin
The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Test Email
CVE-2025-2325
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-13497 - Tripetto Plugin
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
PLUGIN
Tripetto
CVE-2024-13497
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1667 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators.
PLUGIN
Wpschoolpress
CVE-2025-1667
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1657 - Ulisting Plugin
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized.
PLUGIN
Ulisting
CVE-2025-1657
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1653 - Ulisting Plugin
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Ulisting
CVE-2025-1653
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13773 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys.
PLUGIN
Civi
CVE-2024-13773
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-12810 - Jobcareer Plugin
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.
PLUGIN
Jobcareer
CVE-2024-12810
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13321 - Analyticswp Plugin
The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Analyticswp
CVE-2024-13321
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2221 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpcom Member
CVE-2025-2221
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2103 - Soundrise Plugin
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Soundrise
CVE-2025-2103
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13913 - Instawp Connect Plugin
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Instawp Connect
CVE-2024-13913
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-0952 - Eco Nature - Environment & Ecology WordPress Theme
The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
THEME
Eco Nature - Environment & Ecology WordPress Theme
CVE-2025-0952
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1764 - LoginPress | wp-login Custom Login Page Customizer Plugin
The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user…
PLUGIN
LoginPress | wp-login Custom Login Page Customizer
CVE-2025-1764
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13376 - Industrial Theme
The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Industrial
CVE-2024-13376
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2025-2056 - Hide My Wp Ghost Plugin
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
PLUGIN
Hide My Wp Ghost
CVE-2025-2056
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11283 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
PLUGIN
Jobcareer
CVE-2024-11283
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-10942 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export…
PLUGIN
All In One Wp Migration
CVE-2024-10942
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-1119 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVE-2025-1119
Risk Score