Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-18
CVE-2024-9935 - Pdf Generator Addon For Elementor Page Builder Plugin
The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Pdf Generator Addon For Elementor Page Builder
CVE-2024-9935
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-9849 - Real3d Flipbook Lite Plugin
The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Real3d Flipbook Lite
CVE-2024-9849
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-9839 - The Uix Slideshow Plugin
The The Uix Slideshow plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Uix Slideshow
CVE-2024-9839
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-9192 - Wordpress Video Robot The Ultimate Video Importer Plugin
The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an administrator.
PLUGIN
Wordpress Video Robot The Ultimate Video Importer
CVE-2024-9192
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-8979 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_lostpassword_user_email_controls' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including usernames and passwords of any user, including Administrators, as long as that user opens the email notification for a password change request and images are not blocked by the email client.
PLUGIN
Essential Addons For Elementor
CVE-2024-8979
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10311 - External Database Based Actions Plugin
The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edba_admin_handle' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin settings and log in as any existing user on the site, such as an administrator.
PLUGIN
External Database Based Actions
CVE-2024-10311
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10793 - Wp Activity Log Plugin
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
PLUGIN
Wp Activity Log
CVE-2024-10793
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10260 - Tripetto Plugin
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.
PLUGIN
Tripetto
CVE-2024-10260
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10962 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator…
PLUGIN
Migration Backup Staging
CVE-2024-10962
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9186 - Marketing Automation By Funnelkit Plugin
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Marketing Automation By Funnelkit
CVE-2024-9186
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10800 - User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajax_save_fields() function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to add custom fields that can be updated and then use the check_and_overwrite_wp_or_woocommerce_fields function to update the wp_capabilities field to have administrator privileges.
PLUGIN
User Extra Fields
CVE-2024-10800
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10828 - Advanced Order Export For Woocommerce Plugin
The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Advanced Order Export For Woocommerce
CVE-2024-10828
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10816 - Luna Radio Player Plugin
The LUNA RADIO PLAYER plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.24.01.24 via the js/fallback.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Luna Radio Player
CVE-2024-10816
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10174 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.
PLUGIN
Wp Project Manager
CVE-2024-10174
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10629 - Gpx Viewer Plugin
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Gpx Viewer
CVE-2024-10629
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10958 - The Wp Photo Album Plus Plugin
The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Wp Photo Album Plus
CVE-2024-10958
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-51702 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody, Eric Holmes SrcSet Responsive Images for WordPress allows Reflected XSS.This issue affects SrcSet Responsive Images for WordPress: from n/a through 1.4.
CORE
WordPress Core
CVE-2024-51702
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10640 - Currency Switcher Professional For Woocommerce Plugin
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Currency Switcher Professional For Woocommerce
CVE-2024-10640
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-51708 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narnoo Wordpress developer Narnoo Commerce Manager allows Reflected XSS.This issue affects Narnoo Commerce Manager: from n/a through 1.6.0.
CORE
WordPress Core
CVE-2024-51708
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-10261 - Membership Content Restriction Paid Member Subscriptions Plugin
The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Membership Content Restriction Paid Member Subscriptions
CVE-2024-10261
Risk Score