Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-11
CVE-2024-12749 - Competition Form Plugin
The Competition Form WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Competition Form
CVE-2024-12749
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-13509 - Ws Form Plugin
The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.
PLUGIN
Ws Form
CVE-2024-13509
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-11135 - Eventer Plugin
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Eventer
CVE-2024-11135
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13094 - Wp Triggers Lite Plugin
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Triggers Lite
CVE-2024-13094
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13057 - Dyn Business Panel Plugin
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Dyn Business Panel
CVE-2024-13057
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13056 - Dyn Business Panel Plugin
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Dyn Business Panel
CVE-2024-13056
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13055 - Dyn Business Panel Plugin
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Dyn Business Panel
CVE-2024-13055
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-12773 - Altra Side Menu Plugin
The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Altra Side Menu
CVE-2024-12773
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13052 - Dental Optimizer Patient Generator App Plugin
The Dental Optimizer Patient Generator App WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Dental Optimizer Patient Generator App
CVE-2024-13052
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-12321 - Wc Affiliate Plugin
The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wc Affiliate
CVE-2024-12321
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11936 - Zox News Plugin
The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Zox News
CVE-2024-11936
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11641 - Vikbooking Hotel Booking Engine Pms Plugin
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may…
PLUGIN
Vikbooking Hotel Booking Engine Pms
CVE-2024-11641
Risk Score
Threat Entry
Updated 2025-01-26
CVE-2024-10633 - WordPress Core
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CORE
WordPress Core
CVE-2024-10633
Risk Score
Threat Entry
Updated 2025-09-27
CVE-2024-10628 - Quiz Maker Plugin
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: The three…
PLUGIN
Quiz Maker
CVE-2024-10628
Risk Score
Threat Entry
Updated 2025-01-26
CVE-2024-10574 - WordPress Core
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This makes it possible for unauthenticated attackers to modify the Google Sheets integration credentials within the plugin's settings. Because the 'client_id' parameter is not sanitized or escaped when used in output, this vulnerability could also be leveraged to inject arbitrary web…
CORE
WordPress Core
CVE-2024-10574
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13562 - Import Wp Plugin
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.5 via the uploads directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/ directory which can contain information like imported or local user data and files.
PLUGIN
Import Wp
CVE-2024-13562
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12600 - Custom Product Tabs Lite For Woocommerce Plugin
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…
PLUGIN
Custom Product Tabs Lite For Woocommerce
CVE-2024-12600
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-0682 - Addons Plugin
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Addons
CVE-2025-0682
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2025-24659 - Premium Packages Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WordPress Download Manager Premium Packages allows Blind SQL Injection. This issue affects Premium Packages: from n/a through 5.9.6.
PLUGIN
Premium Packages
CVE-2025-24659
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13409 - Post Grid Slider Carousel Ultimate Plugin
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10 via the 'theme' parameter of the post_type_ajax_handler() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images…
PLUGIN
Post Grid Slider Carousel Ultimate
CVE-2024-13409
Risk Score