Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-04
CVE-2024-7149 - Eventin Plugin
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.8 via multiple style parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Eventin
CVE-2024-7149
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-6931 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via RSVP name field in all versions up to, and including, 6.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Events Calendar
CVE-2024-6931
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9130 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 3.16.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with GiveWP Manager-level access and above, to append additional SQL queries into already existing queries within the Legacy View mode, that can be used to extract sensitive information from the database.
PLUGIN
Givewp
CVE-2024-9130
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8922 - Product Enquiry For Woocommerce Plugin
The Product Enquiry for WooCommerce, WooCommerce product catalog plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.2.33.32 via deserialization of untrusted input in enquiry_detail.php. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute…
PLUGIN
Product Enquiry For Woocommerce
CVE-2024-8922
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7714 - Ai Chatbot With Chatgpt And Content Generator By Ays Plugin
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 lacks sufficient access controls allowing an unauthenticated user to disconnect the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 from OpenAI, thereby disabling the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0. Multiple actions are accessible: 'ays_chatgpt_disconnect', 'ays_chatgpt_connect', and 'ays_chatgpt_save_feedback'
PLUGIN
Ai Chatbot With Chatgpt And Content Generator By Ays
CVE-2024-7714
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2024-7713 - Ai Chatbot With Chatgpt And Content Generator By Ays Plugin
The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it
PLUGIN
Ai Chatbot With Chatgpt And Content Generator By Ays
CVE-2024-7713
Risk Score
Threat Entry
Updated 2024-10-01
CVE-2024-8126 - Advanced File Manager Plugin
The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Advanced File Manager
CVE-2024-8126
Risk Score
Threat Entry
Updated 2024-10-01
CVE-2024-8704 - Advanced File Manager Plugin
The Advanced File Manager plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 5.2.8 via the 'fma_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Advanced File Manager
CVE-2024-8704
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7781 - Jupiter X Core Plugin
The Jupiter X Core plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.7.5. This is due to improper authentication via the Social Login widget. This makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts. Attackers can exploit the vulnerability even if the Social Login element has been disabled, as long as it was previously enabled and used. The vulnerability was partially patched in version 4.7.5, and fully…
PLUGIN
Jupiter X Core
CVE-2024-7781
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8290 - Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
PLUGIN
Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
CVE-2024-8290
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8484 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Rest Api To Miniprogram
CVE-2024-8484
Risk Score
Threat Entry
Updated 2024-12-26
CVE-2024-8481 - The Special Text Boxes Plugin
The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Special Text Boxes
CVE-2024-8481
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8349 - Uncanny Groups For Learndash Plugin
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access.
PLUGIN
Uncanny Groups For Learndash
CVE-2024-8349
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7617 - Contact Form To Any Api Plugin
The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form To Any Api
CVE-2024-7617
Risk Score
Threat Entry
Updated 2025-12-31
CVE-2024-8914 - Thanh Toan Quet Ma Qr Code Tu Dong Plugin
The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Thanh Toan Quet Ma Qr Code Tu Dong
CVE-2024-8914
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8623 - Wordpress Meta Data And Taxonomies Filter Plugin
The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-8623
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8795 - Ba Book Everything Plugin
The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.
PLUGIN
Ba Book Everything
CVE-2024-8795
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8761 - Share This Image Plugin
The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Share This Image
CVE-2024-8761
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8490 - Propertyhive Plugin
The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Propertyhive
CVE-2024-8490
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6482 - Login With Phone Number Plugin
The Login with phone number plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.49. This is due to a lack of validation and missing capability check on user-supplied data in the 'lwp_update_password_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. The login with phone number pro plugin was required to exploit the vulnerability in versions 1.7.40 - 1.7.49.
PLUGIN
Login With Phone Number
CVE-2024-6482
Risk Score