Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-26
CVE-2024-13358 - Buddypress Woocommerce My Account Integration Plugin
The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting.
PLUGIN
Buddypress Woocommerce My Account Integration
CVE-2024-13358
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1319 - Site Mailer Plugin
The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Site Mailer
CVE-2025-1319
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-10860 - Nextmove Plugin
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to unauthorized submission of data due to a missing capability check on the _submit_uninstall_reason_action() function in all versions up to, and including, 2.19.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason on behalf of a site.
PLUGIN
Nextmove
CVE-2024-10860
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1662 - Url Media Uploader Plugin
The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'url_media_uploader_url_upload' action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Url Media Uploader
CVE-2025-1662
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1560 - Wow Entrance Effects Wee Plugin
The WOW Entrance Effects (WEE!) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wow Entrance Effects Wee
CVE-2025-1560
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-9019 - Secupress Plugin
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupress_check_ban_ips_form shortcode in all versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Secupress
CVE-2024-9019
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13638 - Order Attachments For Woocommerce Plugin
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments added to orders.
PLUGIN
Order Attachments For Woocommerce
CVE-2024-13638
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13851 - Modal Portfolio Plugin
The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Modal Portfolio
CVE-2024-13851
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13832 - Ultra Addons Lite For Elementor Plugin
The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.8 via the 'ut_elementor' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Ultra Addons Lite For Elementor
CVE-2024-13832
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13716 - Forex Calculators Plugin
The Forex Calculators plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_settings_callback() function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
PLUGIN
Forex Calculators
CVE-2024-13716
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13469 - Pricing Table Plugin
The Pricing Table by PickPlugins plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button Link in all versions up to, and including, 1.12.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pricing Table
CVE-2024-13469
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1572 - Kivicare Plugin
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Kivicare
CVE-2025-1572
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2025-1571 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Image Comparison Widgets in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2025-1571
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1405 - Product Catalog Simple Plugin
The Product Catalog Simple plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's show_products shortcode in all versions up to, and including, 1.7.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Product Catalog Simple
CVE-2025-1405
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-0764 - Wpforo Forum Plugin
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to read arbitrary files on the server.
PLUGIN
Wpforo Forum
CVE-2025-0764
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1511 - User Registration Plugin
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
User Registration
CVE-2025-1511
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-1506 - Wp Social Login And Register Social Counter Plugin
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce validation on the counter_access_key_setup() function. This makes it possible for unauthenticated attackers to update social login provider settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Social Login And Register Social Counter
CVE-2025-1506
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-12820 - Mk Google Directions Plugin
The MK Google Directions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MKGD' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mk Google Directions
CVE-2024-12820
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2025-1757 - Portfoliohub Plugin
The WordPress Portfolio Builder – Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pfhub_portfolio' and 'pfhub_portfolio_portfolio' shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Portfoliohub
CVE-2025-1757
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1505 - Advanced Ajax Product Filters Plugin
The Advanced AJAX Product Filters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.6.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Advanced Ajax Product Filters
CVE-2025-1505
Risk Score