Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-10
CVE-2024-12024 - Eventprime Plugin
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_data parameters in all versions up to, and including, 4.0.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page. Note: this vulnerability requires the "Guest Submissions" setting to be enabled. It is disabled by default.
PLUGIN
Eventprime
CVE-2024-12024
Risk Score
Threat Entry
Updated 2024-12-17
CVE-2024-12293 - User Role Editor Plugin
The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the update_roles() function. This makes it possible for unauthenticated attackers to add or remove roles for arbitrary users, including escalating their privileges to administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
User Role Editor
CVE-2024-12293
Risk Score
Threat Entry
Updated 2024-12-17
CVE-2024-9624 - Wp All Import Pro Plugin
The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.
PLUGIN
Wp All Import Pro
CVE-2024-9624
Risk Score
Threat Entry
Updated 2024-12-16
CVE-2024-54391 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in Matt Walters WordPress Filter allows Stored XSS.This issue affects WordPress Filter: from n/a through 1.4.1.
CORE
WordPress Core
CVE-2024-54391
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11721 - Frontend Admin Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even when the administrative user role has not been provided as an option to the user, granted that unauthenticated users have been provided access to the form.
PLUGIN
Frontend Admin
CVE-2024-11721
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11720 - Frontend Admin Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.
PLUGIN
Frontend Admin
CVE-2024-11720
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-11711 - Wp Job Portal Plugin
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'resumeid' parameter in all versions up to, and including, 2.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Job Portal
CVE-2024-11711
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-10646 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-10646
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-9698 - Crafthemes Demo Import Plugin
The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Crafthemes Demo Import
CVE-2024-9698
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-54304 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hive Support Hive Support – WordPress Help Desk allows SQL Injection.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.2.
CORE
WordPress Core
CVE-2024-54304
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-54274 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace Studio WordPress HelpDesk & Support Ticket System Plugin – Octrace Support allows Reflected XSS.This issue affects WordPress HelpDesk & Support Ticket System Plugin – Octrace Support: from n/a through 1.2.7.
CORE
WordPress Core
CVE-2024-54274
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-54233 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Enea Overclokk Advanced Control Manager for WordPress by ItalyStrap allows Reflected XSS.This issue affects Advanced Control Manager for WordPress by ItalyStrap: from n/a through 2.16.0.
CORE
WordPress Core
CVE-2024-54233
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-10783 - Mainwp Child Plugin
The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this only affects sites who have MainWP Child installed and have not yet connected…
PLUGIN
Mainwp Child
CVE-2024-10783
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12312 - Print Science Designer Plugin
The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the 'designer-saved-projects' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Print Science Designer
CVE-2024-12312
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12172 - Education Courses Plugin
The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.
PLUGIN
Education Courses
CVE-2024-12172
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12040 - Grid Ultimate For Woocommerce Plugin
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the `wcpcsu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Grid Ultimate For Woocommerce
CVE-2024-12040
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11052 - Ninja Forms Plugin
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ninja Forms
CVE-2024-11052
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10499 - Ai Engine Plugin
The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Ai Engine
CVE-2024-10499
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-10910 - Grid Plus Plugin
The The Grid Plus – Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Grid Plus
CVE-2024-10910
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-10590 - Opt In Downloads Plugin
The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Due to the presence of an .htaccess file, this can only be exploited to achieve RCE on NGINX servers, unless another vulnerability is present.
PLUGIN
Opt In Downloads
CVE-2024-10590
Risk Score