Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-11
CVE-2025-1717 - Login Me Now Plugin
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
PLUGIN
Login Me Now
CVE-2025-1717
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2025-1295 - Templines Elementor Helper Core Plugin
The Templines Elementor Helper Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.7. This is due to allowing arbitrary user meta updates. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to Administrator. The vulnerability can only be exploited when the BuddyPress plugin is also installed and activated.
PLUGIN
Templines Elementor Helper Core
CVE-2025-1295
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-2297 - Bricks Plugin
The Bricks theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.6.1. This is due to insufficient validation checks placed on the create_autosave AJAX function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code with elevated (administrator-level) privileges. NOTE: Successful exploitation requires (1) the Bricks Builder to be enabled for posts (2) Builder access to be enabled for contributor-level users, and (3) "Code Execution" to be enabled for administrator-level users within the theme's settings.
PLUGIN
Bricks
CVE-2024-2297
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13633 - Simple Catalogue Plugin
The Simple catalogue WordPress plugin through 1.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Simple Catalogue
CVE-2024-13633
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13632 - Wp Extra Fields Plugin
The WP Extra Fields WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Extra Fields
CVE-2024-13632
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13631 - Om Stripe Plugin
The Om Stripe WordPress plugin through 02.00.00 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Om Stripe
CVE-2024-13631
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-13624 - Wpmovielibrary Plugin
The WPMovieLibrary WordPress plugin through 2.1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wpmovielibrary
CVE-2024-13624
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-13571 - Post Timeline Plugin
The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Post Timeline
CVE-2024-13571
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-12878 - Custom Block Builder Plugin
The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Custom Block Builder
CVE-2024-12878
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10483 - Before 6 Plugin
The Simple:Press Forum WordPress plugin before 6.10.11 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 6
CVE-2024-10483
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10152 - Simple Certain Time To Show Content Plugin
The Simple Certain Time to Show Content WordPress plugin before 1.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Simple Certain Time To Show Content
CVE-2024-10152
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1648 - Yawave Plugin
The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Yawave
CVE-2025-1648
Risk Score
Threat Entry
Updated 2025-02-22
CVE-2025-0957 - SMTP for Amazon SES – YaySMTP Plugin
The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
SMTP for Amazon SES – YaySMTP
CVE-2025-0957
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0953 - Yaysmtp Plugin
The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yaysmtp
CVE-2025-0953
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0918 - Yaysmtp Plugin
The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yaysmtp
CVE-2025-0918
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13869 - Wpvivid Backup Migration Plugin
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents…
PLUGIN
Wpvivid Backup Migration
CVE-2024-13869
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1361 - Country Blocker Plugin
The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unauthenticated attackers to view the plugin's settings.
PLUGIN
Country Blocker
CVE-2025-1361
Risk Score
Threat Entry
Updated 2025-02-22
CVE-2024-13474 - Purolator Edition Plugin
The LTL Freight Quotes – Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 2.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Purolator Edition
CVE-2024-13474
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1510 - The Custom Post Type Date Archives Plugin
The The Custom Post Type Date Archives plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Custom Post Type Date Archives
CVE-2025-1510
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1509 - The Show Me The Cookies Plugin
The The Show Me The Cookies plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Show Me The Cookies
CVE-2025-1509
Risk Score