Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5348 - Elements For Elementor Plugin
The Elements For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.1 via the 'beforeafter_layout' attribute of the beforeafter widget, the 'eventsgrid_layout' attribute of the eventsgrid and list widgets, the 'marquee_layout' attribute of the marquee widget, the 'postgrid_layout' attribute of the postgrid widget, the 'woocart_layout' attribute of the woocart widget, and the 'woogrid_layout' attribute of the woogrid widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the…
PLUGIN
Elements For Elementor
CVE-2024-5348
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3821 - Table Charts Plugin
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin.
PLUGIN
Table Charts
CVE-2024-3821
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4958 - And User Profile Plugin
The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it possible for authenticated attackers, with contributor-level permissions and above, to import a registration form with a default user role of administrator. If an administrator approves or publishes a post or page with the shortcode to the imported form, any user can register as an administrator.
PLUGIN
And User Profile
CVE-2024-4958
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-3564 - Content Blocks Plugin
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Content Blocks
CVE-2024-3564
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-4469 - Wp Staging Wordpress Backup Plugin
The WP STAGING WordPress Backup Plugin WordPress plugin before 3.5.0 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
PLUGIN
Wp Staging Wordpress Backup
CVE-2024-4469
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2793 - Atarim Visual Collaboration Plugin
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Atarim Visual Collaboration
CVE-2024-2793
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5345 - Responsive Owl Carousel Elementor Plugin
The Responsive Owl Carousel for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.0 via the layout parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The inclusion is…
PLUGIN
Responsive Owl Carousel Elementor
CVE-2024-5345
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5326 - Ultimate Post Plugin
The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
PLUGIN
Ultimate Post
CVE-2024-5326
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-5207 - Post Smtp Plugin
The POST SMTP – The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications plugin for WordPress is vulnerable to time-based SQL Injection via the selected parameter in all versions up to, and including, 2.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator access or higher to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Post Smtp
CVE-2024-5207
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-6743 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.
PLUGIN
Unlimited Elements For Elementor
CVE-2023-6743
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-4611 - Apppresser Plugin
The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.
PLUGIN
Apppresser
CVE-2024-4611
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5204 - Swiss Toolkit For Wp Plugin
The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator.
PLUGIN
Swiss Toolkit For Wp
CVE-2024-5204
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4535 - Kkprogressbar2 Plugin
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Kkprogressbar2
CVE-2024-4535
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4531 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks
PLUGIN
Business Card
CVE-2024-4531
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-4455 - Yith Woocommerce Ajax Search Plugin
The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yith Woocommerce Ajax Search
CVE-2024-4455
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0867 - Email Log Plugin
The Email Log plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 2.4.8 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement.
PLUGIN
Email Log
CVE-2024-0867
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-5085 - Hash Form Plugin
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Hash Form
CVE-2024-5085
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4471 - Xpro Elementor Addons Plugin
The 140+ Widgets | Best Addons For Elementor – FREE for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.3.1 via deserialization of untrusted input in the 'export_content' function. This allows authenticated attackers, with contributor-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Thanks,…
PLUGIN
Xpro Elementor Addons
CVE-2024-4471
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-4779 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to SQL Injection via the ‘data[post_ids][0]’ parameter in all versions up to, and including, 1.5.107 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Unlimited Elements For Elementor
CVE-2024-4779
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2038 - Atarim Visual Collaboration Plugin
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.22.6. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to modify plugin settings, delete posts, modify post titles, and upload images.
PLUGIN
Atarim Visual Collaboration
CVE-2024-2038
Risk Score