Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-19
CVE-2024-11582 - Subscribe2 Plugin
The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ip parameter in all versions up to, and including, 10.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Subscribe2
CVE-2024-11582
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0817 - Formcraft Plugin
The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Formcraft
CVE-2025-0817
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0521 - Post Smtp Plugin
The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Smtp
CVE-2025-0521
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13681 - Uncode Plugin
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on the server.
PLUGIN
Uncode
CVE-2024-13681
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13797 - Pressmart Plugin
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Pressmart
CVE-2024-13797
Risk Score
Threat Entry
Updated 2026-01-07
CVE-2024-13704 - Super Testimonials Plugin
The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Super Testimonials
CVE-2024-13704
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13315 - Shopwarden Plugin
The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Shopwarden
CVE-2024-13315
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13556 - Affiliate Links Plugin
The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization of untrusted input from an file export. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin…
PLUGIN
Affiliate Links
CVE-2024-13556
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13852 - Option Editor Plugin
The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Option Editor
CVE-2024-13852
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13684 - Reset Plugin
The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the reset_db_page() function. This makes it possible for unauthenticated attackers to reset several tables in the database like comments, themes, plugins, and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Reset
CVE-2024-13684
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13677 - Get Bookings Wp Plugin
The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Get Bookings Wp
CVE-2024-13677
Risk Score
Threat Entry
Updated 2025-03-17
CVE-2024-13622 - File Uploads Addon For Woocommerce Plugin
The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments uploaded by customers.
PLUGIN
File Uploads Addon For Woocommerce
CVE-2024-13622
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-12314 - Rapid Cache Plugin
The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitized which can lead to Cross-Site Scripting.
PLUGIN
Rapid Cache
CVE-2024-12314
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13726 - Themes Coder
The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
THEME
Themes Coder
CVE-2024-13726
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13626 - Through 3 Plugin
The VR-Frases (collect & share quotes) WordPress plugin through 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 3
CVE-2024-13626
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13625 - Tube Video Ads Lite Plugin
The Tube Video Ads Lite WordPress plugin through 1.5.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Tube Video Ads Lite
CVE-2024-13625
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-0924 - Wp Activity Log Plugin
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Activity Log
CVE-2025-0924
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13488 - Ltl Freight Quotes Plugin
The LTL Freight Quotes – Estes Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Ltl Freight Quotes
CVE-2024-13488
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2025-23657 - WordPress-to-candidate for Salesforce CRM Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WordPress-to-candidate for Salesforce CRM allows Reflected XSS. This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through 1.0.1.
PLUGIN
WordPress-to-candidate for Salesforce CRM
CVE-2025-23657
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2025-23492 - WordPress 淘宝客插件 Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
PLUGIN
WordPress 淘宝客插件
CVE-2025-23492
Risk Score