Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-6069 - Pie Register Plugin
The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation/deactivation due to missing capability checks on the pieregister_install_addon, pieregister_activate_addon and pieregister_deactivate_addon functions in all versions up to, and including, 3.8.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install, activate and deactivate arbitrary plugins. As a result attackers might achieve code execution on the targeted server
PLUGIN
Pie Register
CVE-2024-6069
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5456 - Panda Video Plugin
The Panda Video plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.0 via the 'selected_button' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Panda Video
CVE-2024-5456
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5479 - Easy Pixels By Jevnet Plugin
The Easy Pixels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Pixels By Jevnet
CVE-2024-5479
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6321 - Scrollto Bottom Plugin
The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Scrollto Bottom
CVE-2024-6321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6320 - Scrollto Top Plugin
The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Scrollto Top
CVE-2024-6320
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-6317 - Generate Pdf Using Contact Form 7 Plugin
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into…
PLUGIN
Generate Pdf Using Contact Form 7
CVE-2024-6317
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-6316 - Generate Pdf Using Contact Form 7 Plugin
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and missing file type validation in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Generate Pdf Using Contact Form 7
CVE-2024-6316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6310 - Advanced Ajax Page Loader Plugin
The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. This is due to missing nonce validation in the 'admin_init_AAPL' function and missing file type validation in the 'AAPL_options_validate' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Advanced Ajax Page Loader
CVE-2024-6310
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6309 - Attachment File Icons Plugin
The Attachment File Icons (AF Icons) plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.3. This is due to missing nonce validation in the 'afi_overview' function and missing file type validation in the 'upload_icons' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Attachment File Icons
CVE-2024-6309
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6161 - Default Thumbnail Plus Plugin
The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'get_cache_image' function in all versions up to, and including, 1.0.2.3. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Default Thumbnail Plus
CVE-2024-6161
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6180 - Eventon Lite Plugin
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.
PLUGIN
Eventon Lite
CVE-2024-6180
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6123 - Bit Form Plugin
The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Bit Form
CVE-2024-6123
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5441 - Modern Events Calendar Lite Plugin
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.
PLUGIN
Modern Events Calendar Lite
CVE-2024-5441
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6166 - Unlimited Elements For Elementor Free Widgets Addons Templates Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘addons_order’ parameter in all versions up to, and including, 1.5.112 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above and granted plugin setting edit permissions by an administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Unlimited Elements For Elementor Free Widgets Addons Templates
CVE-2024-6166
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5793 - Houzez Theme Functionality Plugin
The Houzez Theme - Functionality plugin for WordPress is vulnerable to SQL Injection via the ‘currency_code’ parameter in all versions up to, and including, 3.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Houzez Theme Functionality
CVE-2024-5793
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5943 - Nested Pages Plugin
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Nested Pages
CVE-2024-5943
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6319 - Imgspider Plugin
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Imgspider
CVE-2024-6319
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6318 - Imgspider Plugin
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Imgspider
CVE-2024-6318
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2385 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin's widgets through the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded…
PLUGIN
Addons For Elementor
CVE-2024-2385
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-38345 - Sola Testimonials Plugin
A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site where the affected plugin is enabled to access a malicious page. As a result, the user may perform unintended operations on the WordPress site.
PLUGIN
Sola Testimonials
CVE-2024-38345
Risk Score