Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-24
CVE-2024-13800 - Convertplus Plugin
The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values…
PLUGIN
Convertplus
CVE-2024-13800
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13656 - Click Mag Plugin
The Click Mag - Viral WordPress News Magazine/Blog Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up to, and including, 3.6.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
PLUGIN
Click Mag
CVE-2024-13656
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13653 - Zoxpress Plugin
The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' function in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Zoxpress
CVE-2024-13653
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13654 - Zoxpress Plugin
The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'reset_options' function in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
PLUGIN
Zoxpress
CVE-2024-13654
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-13643 - Magazine Theme Plugin
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration,…
PLUGIN
Magazine Theme
CVE-2024-13643
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-12599 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Mega
CVE-2024-12599
Risk Score
Threat Entry
Updated 2025-02-13
CVE-2024-13440 - Super Store Finder Plugin
The Super Store Finder plugin for WordPress is vulnerable to SQL Injection via the ‘ssf_wp_user_name’ parameter in all versions up to, and including, 7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into an already existing query to store cross-site scripting in store reviews.
PLUGIN
Super Store Finder
CVE-2024-13440
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7419 - Wp All Export Plugin
The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise. As a prerequisite, the custom export field should include fields containing user-supplied data.
PLUGIN
Wp All Export
CVE-2024-7419
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-9664 - Wp All Import Plugin
The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Wp All Import
CVE-2024-9664
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-13352 - Legull Plugin
The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Legull
CVE-2024-13352
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13487 - Woo Multi Currency Plugin
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Woo Multi Currency
CVE-2024-13487
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2025-1028 - Contact Manager Plugin
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
PLUGIN
Contact Manager
CVE-2025-1028
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13330 - Justrows Free Plugin
The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Justrows Free
CVE-2024-13330
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13329 - Solidres Plugin
The Solidres WordPress plugin through 0.9.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Solidres
CVE-2024-13329
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-12859 - Boombox Theme Extensions Plugin
The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Boombox Theme Extensions
CVE-2024-12859
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2025-23614 - WordPress Additional Logins Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nik Sudan WordPress Additional Logins allows Reflected XSS. This issue affects WordPress Additional Logins: from n/a through 1.0.0.
PLUGIN
WordPress Additional Logins
CVE-2025-23614
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2025-23588 - WOW Best CSS Compiler Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WOW WordPress WOW Best CSS Compiler allows Reflected XSS. This issue affects WOW Best CSS Compiler: from n/a through 2.0.2.
PLUGIN
WOW Best CSS Compiler
CVE-2025-23588
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-0366 - Jupiter X Core Plugin
The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload…
PLUGIN
Jupiter X Core
CVE-2025-0366
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13343 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Woocommerce Customers Manager
CVE-2024-13343
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-12171 - Wsdesk Plugin
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.
PLUGIN
Wsdesk
CVE-2024-12171
Risk Score