Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-30
CVE-2024-9061 - Wp Popup Builder Plugin
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version…
PLUGIN
Wp Popup Builder
CVE-2024-9061
Risk Score
Threat Entry
Updated 2024-10-30
CVE-2021-4452 - Google Language Translator Plugin
The Google Language Translator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in versions up to, and including, 6.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Specifically affects users with older browsers that lack proper URL encoding support.
PLUGIN
Google Language Translator
CVE-2021-4452
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2024-8507 - File Manager Plugin
The File Manager Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.3.9. This is due to missing or incorrect nonce validation on the 'mk_file_folder_manager' ajax action. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
File Manager
CVE-2024-8507
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2024-8746 - File Manager Plugin
The File Manager Pro plugin for WordPress is vulnerable to arbitrary backup file downloads and uploads due to missing file type validation via the 'mk_file_folder_manager_shortcode' ajax action in all versions up to, and including, 8.3.9. This makes it possible for unauthenticated attackers, if granted access to the File Manager by an administrator, to download and upload arbitrary backup files on the affected site's server which may make remote code execution possible.
PLUGIN
File Manager
CVE-2024-8746
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2024-8918 - File Manager Plugin
The File Manager Pro plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 8.3.9. This is due to a lack of proper checks on allowed file types. This makes it possible for unauthenticated attackers, with permissions granted by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
PLUGIN
File Manager
CVE-2024-8918
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2023-7294 - Donations Plugin
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the create_mollie_profile function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to create a mollie payment profile.
PLUGIN
Donations
CVE-2023-7294
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2023-7291 - Donations Plugin
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_mollie_account function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to set up a mollie account.
PLUGIN
Donations
CVE-2023-7291
Risk Score
Threat Entry
Updated 2024-10-30
CVE-2021-4450 - Post Grid Plugin
The Post Grid plugin for WordPress is vulnerable to blind SQL Injection via post metadata in versions up to, and including, 2.1.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level permissions and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Post Grid
CVE-2021-4450
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2021-4447 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user.
PLUGIN
Essential Addons For Elementor
CVE-2021-4447
Risk Score
Threat Entry
Updated 2024-10-30
CVE-2021-4448 - Kaswara Modern Vc Addons Plugin
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
PLUGIN
Kaswara Modern Vc Addons
CVE-2021-4448
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2021-4444 - product_filter Plugin
The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery.
PLUGIN
product_filter
CVE-2021-4444
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-9305 - Apppresser Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
PLUGIN
Apppresser
CVE-2024-9305
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9837 - Auto Date Year Month Plugin
The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Auto Date Year Month
CVE-2024-9837
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2024-9687 - Wp 2fa With Telegram Plugin
The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
PLUGIN
Wp 2fa With Telegram
CVE-2024-9687
Risk Score
Threat Entry
Updated 2024-10-17
CVE-2024-9548 - Slimstat Analytics Plugin
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the resource parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping when logging visitor requests. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slimstat Analytics
CVE-2024-9548
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-8757 - And Custom User Registration Form Builder Plugin
The WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the linked_user_id parameter in all versions up to, and including, 3.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be…
PLUGIN
And Custom User Registration Form Builder
CVE-2024-8757
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9821 - Bot For Telegram On Woocommerce Plugin
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature.
PLUGIN
Bot For Telegram On Woocommerce
CVE-2024-9821
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9156 - Ti Woocommerce Wishlist Plugin
The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Ti Woocommerce Wishlist
CVE-2024-9156
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9022 - Ts Poll Plugin
The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Ts Poll
CVE-2024-9022
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9522 - Wp Users Masquerade Plugin
The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.
PLUGIN
Wp Users Masquerade
CVE-2024-9522
Risk Score