Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-05
CVE-2024-13778 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to SQL Injection via several functions in all versions up to, and including, 1.16.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13778
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13757 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_layer shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-13757
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13747 - Woomail Woocommerce Email Customizer Plugin
The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query.
PLUGIN
Woomail Woocommerce Email Customizer
CVE-2024-13747
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12815 - Point Maker Plugin
The Point Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'point_maker' shortcode in all versions up to, and including, 0.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Point Maker
CVE-2024-12815
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-11731 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_slider shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-11731
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1008 - Recently Purchased Products For Woo Plugin
The Recently Purchased Products For Woo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘view’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recently Purchased Products For Woo
CVE-2025-1008
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1435 - Bbpress Plugin
The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer…
PLUGIN
Bbpress
CVE-2025-1435
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13866 - Simple Notification Plugin
The Simple Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Simple Notification
CVE-2024-13866
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13350 - Searchiq Plugin
The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Searchiq
CVE-2024-13350
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13827 - Razorpay Subscription Button Elementor Plugin
The Razorpay Subscription Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg() and remove_query_arg() functions without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Razorpay Subscription Button Elementor
CVE-2024-13827
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-8682 - Jnews Wordpress Newspaper Magazine Blog Amp Theme
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled.
THEME
Jnews Wordpress Newspaper Magazine Blog Amp Theme
CVE-2024-8682
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0990 - I Am Gloria Plugin
The I Am Gloria plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the iamgloria23_gloria_settings_page function. This makes it possible for unauthenticated attackers to reset the tenant ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
I Am Gloria
CVE-2025-0990
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0370 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Ultimate
CVE-2025-0370
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0958 - Ultimate Auction Plugin
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
PLUGIN
Ultimate Auction
CVE-2025-0958
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0512 - Structured Content Plugin
The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Structured Content
CVE-2025-0512
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2025-0433 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2025-0433
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-9618 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-9618
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-13724 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their own wallet balance, transfer balances between arbitrary users and initiate transfer requests from other users' wallets.
PLUGIN
Wallet System For Woocommerce
CVE-2024-13724
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-13682 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wallet System For Woocommerce
CVE-2024-13682
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13685 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10.
PLUGIN
Before 7
CVE-2024-13685
Risk Score