Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-07
CVE-2024-10527 - Spacer Plugin
The Spacer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the motech_spacer_callback() function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view limited setting information.
PLUGIN
Spacer
CVE-2024-10527
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-9654 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they…
PLUGIN
Easy Digital Downloads
CVE-2024-9654
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-12300 - Ar For Wordpress Plugin
The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited.
PLUGIN
Ar For Wordpress
CVE-2024-12300
Risk Score
Threat Entry
Updated 2024-12-09
CVE-2023-28168 - WordPress Console Plugin
Missing Authorization vulnerability in Jerod Santo WordPress Console allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Console: from n/a through 0.3.9.
PLUGIN
WordPress Console
CVE-2023-28168
Risk Score
Threat Entry
Updated 2024-12-09
CVE-2023-24375 - WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin
Missing Authorization vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.5.14.
PLUGIN
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
CVE-2023-24375
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-7056 - Before 1 Plugin
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-7056
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-10710 - Yadisk Files Plugin
The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Yadisk Files
CVE-2024-10710
Risk Score
Threat Entry
Updated 2025-03-31
CVE-2024-10515 - In The Process Of Testing The Seo Plugin By Squirrly Seo
In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
PLUGIN
In The Process Of Testing The Seo Plugin By Squirrly Seo
CVE-2024-10515
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-5030 - Cm Table Of Contents Plugin
The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Cm Table Of Contents
CVE-2024-5030
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10672 - Multiple Page Generator Plugin
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.
PLUGIN
Multiple Page Generator
CVE-2024-10672
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8350 - Uncanny Groups For Learndash Plugin
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site.
PLUGIN
Uncanny Groups For Learndash
CVE-2024-8350
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2023-5359 - W3 Total Cache Plugin
The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.
PLUGIN
W3 Total Cache
CVE-2023-5359
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6792 - Wp Ulike Plugin
The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page.
PLUGIN
Wp Ulike
CVE-2024-6792
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6692 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6694 - Wp Mail Smtp Plugin
The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.
PLUGIN
Wp Mail Smtp
CVE-2024-6694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6434 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.
PLUGIN
Premium Addons For Elementor
CVE-2024-6434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3073 - Easy Wp Smtp Plugin
The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information…
PLUGIN
Easy Wp Smtp
CVE-2024-3073
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3920 - Flattr Plugin
The Flattr WordPress plugin through 1.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Flattr
CVE-2024-3920
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-2220 - Call Chat Contact Button Plugin
The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Call Chat Contact Button
CVE-2024-2220
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-22139 - WordPress Core
Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6.
CORE
WordPress Core
CVE-2024-22139
Risk Score