Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-25
CVE-2024-6420 - Hide My Wp Ghost Plugin
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
PLUGIN
Hide My Wp Ghost
CVE-2024-6420
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6885 - Maxi Blocks Plugin
The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maxi_remove_custom_image_size and maxi_add_custom_image_size functions in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Maxi Blocks
CVE-2024-6885
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6828 - Redux Framework Plugin
The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.
PLUGIN
Redux Framework
CVE-2024-6828
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-37262 - Online Booking Scheduling Calendar Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita.Com Online Booking & Scheduling Calendar for WordPress by vcita allows Reflected XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.2.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-37262
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-37259 - Wp Extended Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended allows Reflected XSS.This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through 2.4.7.
PLUGIN
Wp Extended
CVE-2024-37259
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-6244 - Pz Frontend Manager Plugin
The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Pz Frontend Manager
CVE-2024-6244
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5973 - Masterstudy Lms Plugin
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.
PLUGIN
Masterstudy Lms
CVE-2024-5973
Risk Score
Threat Entry
Updated 2025-04-05
CVE-2024-6497 - Seo Plugin By Squirrly Seo
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seo Plugin By Squirrly Seo
CVE-2024-6497
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-6637 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.
PLUGIN
Woocommerce Social Login
CVE-2024-6637
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-6635 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.3. This is due to insufficient controls in the 'woo_slg_login_email' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, excluding an administrator, if they know the email of user.
PLUGIN
Woocommerce Social Login
CVE-2024-6635
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6338 - Fv Flowplayer Video Player Plugin
The FV Flowplayer Video Player plugin for WordPress is vulnerable to time-based SQL Injection via the ‘exclude’ parameter in all versions up to, and including, 7.5.46.7212 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Fv Flowplayer Video Player
CVE-2024-6338
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2023-7269 - Before 2 Plugin
The ArtPlacer Widget WordPress plugin before 2.21.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Before 2
CVE-2023-7269
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-3242 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Version 2.4.44 prevents the upload of files ending in .sh and .php. Version 2.4.45 fully patches the issue.
PLUGIN
Brizy
CVE-2024-3242
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5726 - Timeline Event History Plugin
The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input 'timelines-data' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Timeline Event History
CVE-2024-5726
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6660 - Bookingpress Plugin
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the bookingpress_import_data_continue_process_func function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site and upload arbitrary files. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain…
PLUGIN
Bookingpress
CVE-2024-6660
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6467 - Bookingpress Plugin
The BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin plugin for WordPress is vulnerable to Arbitrary File Read to Arbitrary File Creation in all versions up to, and including, 1.1.5 via the 'bookingpress_save_lite_wizard_settings_func' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary files that contain the content of files on the server, allowing the execution of any PHP code in those files or the exposure of sensitive information.
PLUGIN
Bookingpress
CVE-2024-6467
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1937 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript.
PLUGIN
Brizy
CVE-2024-1937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6075 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Wp Cart For Digital Products
CVE-2024-6075
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5630 - Insert Or Embed Articulate Content Into Plugin
The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
PLUGIN
Insert Or Embed Articulate Content Into
CVE-2024-5630
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-5715 - Before 10 Plugin
The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 10
CVE-2024-5715
Risk Score