Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-12
CVE-2024-10674 - Th Shop Mania Theme
The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation.
THEME
Th Shop Mania
CVE-2024-10674
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10673 - Top Store Theme
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution.
THEME
Top Store
CVE-2024-10673
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-10626 - Woocommerce Support Ticket System Plugin
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Woocommerce Support Ticket System
CVE-2024-10626
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-9946 - Super Socializer Plugin
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.13.68. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator…
PLUGIN
Super Socializer
CVE-2024-9946
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-10020 - Social Login Plugin
The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also…
PLUGIN
Social Login
CVE-2024-10020
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-10028 - Everest Backup Plugin
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.13 via the exposed process stats file during the backup process. This makes it possible for unauthenticated attackers to obtain an archive file name and download the site's backup.
PLUGIN
Everest Backup
CVE-2024-10028
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-10263 - Tickera Plugin
The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Tickera
CVE-2024-10263
Risk Score
Threat Entry
Updated 2024-11-07
CVE-2024-10711 - Woocommerce Report Plugin
The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woocommerce Report
CVE-2024-10711
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2024-10114 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Woocommerce Social Login
CVE-2024-10114
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-10097 - Loginizer Plugin
The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Loginizer
CVE-2024-10097
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-43235 - WordPress Core
Missing Authorization vulnerability in MetaBox.Io Meta Box – WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box – WordPress Custom Fields Framework: from n/a through 5.9.10.
CORE
WordPress Core
CVE-2024-43235
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10108 - Wpadverts Plugin
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpadverts
CVE-2024-10108
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9846 - Enable Shortcodes Inside Widgets Comments And Experts Plugin
The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Enable Shortcodes Inside Widgets Comments And Experts
CVE-2024-9846
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9990 - Crypto Tool Plugin
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Crypto Tool
CVE-2024-9990
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-7985 - Fileorganizer Plugin
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files.
PLUGIN
Fileorganizer
CVE-2024-7985
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-10436 - Wpc Smart Messages Plugin
The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Wpc Smart Messages
CVE-2024-10436
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10008 - Masteriyo Plugin
The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to unauthorized user profile modification due to missing authorization checks on the /wp-json/masteriyo/v1/users/$id REST API endpoint in all versions up to, and including, 1.13.3. This makes it possible for authenticated attackers, with student-level access and above, to modify the roles of arbitrary users. As a result, attackers can escalate their privileges to the Administrator and demote existing administrators to students.
PLUGIN
Masteriyo
CVE-2024-10008
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-50450 - Wordpress Meta Data And Taxonomies Filter Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-50450
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9162 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.
PLUGIN
All In One Wp Migration
CVE-2024-9162
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10402 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.
PLUGIN
Forminator Forms
CVE-2024-10402
Risk Score