Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-11
CVE-2024-13472 - Woocommerce Product Table Plugin
The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.9.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'sc_attrs' parameter is vulnerable to Reflected Cross-Site Scripting as well.
PLUGIN
Woocommerce Product Table
CVE-2024-13472
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2025-24563 - Allows Reflected Xss Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGlow Cleanup – Directory Listing & Classifieds WordPress Plugin allows Reflected XSS. This issue affects Cleanup – Directory Listing & Classifieds WordPress Plugin: from n/a through 1.0.4.
PLUGIN
Allows Reflected Xss
CVE-2025-24563
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2025-0809 - Link Fixer Plugin
The Link Fixer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via broken links in all versions up to, and including, 3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Link Fixer
CVE-2025-0809
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13504 - Shared Files Plugin
The Shared Files – Frontend File Upload Form & Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via dfxp File uploads in all versions up to, and including, 1.7.42 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the dfxp file. This issue affects only Apache-based environments, where dfxp files are handled by default.
PLUGIN
Shared Files
CVE-2024-13504
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13767 - Live 2d Plugin
The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Live 2d
CVE-2024-13767
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-13720 - Wp Image Uploader Plugin
The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wp Image Uploader
CVE-2024-13720
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13707 - Wp Image Uploader Plugin
The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the gky_image_uploader_main_function() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Image Uploader
CVE-2024-13707
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13671 - Music Sheet Viewer Plugin
The Music Sheet Viewer plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.1 via the read_score_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Music Sheet Viewer
CVE-2024-13671
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13646 - Single User Chat Plugin
The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and including, 0.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update option values to 'login' on the WordPress site. This may be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such…
PLUGIN
Single User Chat
CVE-2024-13646
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12821 - Media Manager Plugin
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upm_upload_media() function in all versions up to, and including, 3.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Media Manager
CVE-2024-12821
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-12129 - Royal Core Plugin
The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royal_restore_backup' function in all versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Royal Core
CVE-2024-12129
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-12269 - Safe Ai Malware Protection For Wp Plugin
The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for unauthenticated attackers to retrieve a complete dump of the site's database.
PLUGIN
Safe Ai Malware Protection For Wp
CVE-2024-12269
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-11600 - Borderless Plugin
The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.9 via the 'write_config' function. This is due to a lack of sanitization on an imported JSON file. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
PLUGIN
Borderless
CVE-2024-11600
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-10591 - Hubspot For Woocommerce Plugin
The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo_save_updates() function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain…
PLUGIN
Hubspot For Woocommerce
CVE-2024-10591
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13453 - Pirate Forms Plugin
The The Contact Form & SMTP Plugin for WordPress by PirateForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.6.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Pirate Forms
CVE-2024-13453
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13694 - Woocommerce Wishlist Plugin
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to extract data from wishlists that they should not have access to.
PLUGIN
Woocommerce Wishlist
CVE-2024-13694
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-12708 - Bulk Me Now Plugin
The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Bulk Me Now
CVE-2024-12708
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-12638 - Bulk Me Now Plugin
The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Bulk Me Now
CVE-2024-12638
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-12400 - Before 5 Plugin
The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
PLUGIN
Before 5
CVE-2024-12400
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-13696 - Flexible Wishlist Plugin
The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wishlist_name’ parameter in all versions up to, and including, 1.2.25 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Flexible Wishlist
CVE-2024-13696
Risk Score