Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-26
CVE-2024-8246 - Buddyforms Plugin
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.8.11. This is due to plugin not properly restricting what users have access to set the default role on registration forms. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with a custom role that allows them to register as administrators.
PLUGIN
Buddyforms
CVE-2024-8246
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8479 - The Simple Spoiler Plugin
The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Simple Spoiler
CVE-2024-8479
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8271 - Fox Currency Switcher Professional For Woocommerce Plugin
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Fox Currency Switcher Professional For Woocommerce
CVE-2024-8271
Risk Score
Threat Entry
Updated 2024-09-18
CVE-2024-8269 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.
PLUGIN
Mstore Api
CVE-2024-8269
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7423 - Stream Plugin
The Stream plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0.1. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can lead to DoS or privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Stream
CVE-2024-7423
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2024-7129 - Appointment Booking Calendar Plugin
The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
PLUGIN
Appointment Booking Calendar
CVE-2024-7129
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7766 - Adicon Server Plugin
The Adicon Server WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Adicon Server
CVE-2024-7766
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-7626 - Wp Delicious Plugin
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain…
PLUGIN
Wp Delicious
CVE-2024-7626
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8253 - Post Grid Plugin
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator.
PLUGIN
Post Grid
CVE-2024-8253
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7770 - File Manager Plugin
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
File Manager
CVE-2024-7770
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8268 - Frontend Dashboard Plugin
The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords.
PLUGIN
Frontend Dashboard
CVE-2024-8268
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8478 - The Affiliate Super Assistent Plugin
The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Affiliate Super Assistent
CVE-2024-8478
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7112 - Pinpoint Booking System Plugin
The Pinpoint Booking System – #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘schedule’ parameter in all versions up to, and including, 2.9.9.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Pinpoint Booking System
CVE-2024-7112
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-1596 - Ninja Forms File Uploads Plugin
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ninja Forms File Uploads
CVE-2024-1596
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8428 - Forumwp Plugin
The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address of administrative user accounts which can then be leveraged to reset the administrative users password and gain access to their account.
PLUGIN
Forumwp
CVE-2024-8428
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-7349 - Lifterlms Plugin
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to blind SQL Injection via the 'order' parameter in all versions up to, and including, 7.7.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Lifterlms
CVE-2024-7349
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8480 - Sirv Plugin
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sirv_save_prevented_sizes' function in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to exploit the 'sirv_upload_file_by_chunks_callback' function, which lacks proper file type validation, allowing attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Sirv
CVE-2024-8480
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8247 - Newsletters Plugin
The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. Please note that this only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege users with access to the Sent & Draft Emails page of…
PLUGIN
Newsletters
CVE-2024-8247
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-7627 - File Manager Plugin
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
PLUGIN
File Manager
CVE-2024-7627
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8104 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0.8 via the download_file_ajax function. This makes it possible for authenticated attackers, with subscriber access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp Extended
CVE-2024-8104
Risk Score