Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-17
CVE-2024-13879 - Stream Plugin
The Stream plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.2 due to insufficient validation on the webhook feature. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
PLUGIN
Stream
CVE-2024-13879
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13627 - Owl Carousel Slider Plugin
The OWL Carousel Slider WordPress plugin through 2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Owl Carousel Slider
CVE-2024-13627
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13603 - Wise Forms Plugin
The Wise Forms WordPress plugin through 1.2.0 does not sanitise and escape some of its settings, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks via malicious form submissions.
PLUGIN
Wise Forms
CVE-2024-13603
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13608 - Track Logins Plugin
The Track Logins WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Track Logins
CVE-2024-13608
Risk Score
Threat Entry
Updated 2025-02-16
CVE-2025-22676 - AWS S3 for WordPress Plugin – Upcasted
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in upcasted AWS S3 for WordPress Plugin – Upcasted allows Stored XSS. This issue affects AWS S3 for WordPress Plugin – Upcasted: from n/a through 3.0.3.
PLUGIN
AWS S3 for WordPress Plugin – Upcasted
CVE-2025-22676
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13834 - Responsive Addons Plugin
The Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.4 via the 'remote_request' function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Responsive Addons
CVE-2024-13834
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-0822 - Bit Assist Plugin
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bit Assist
CVE-2025-0822
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13500 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.6.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Project Manager
CVE-2024-13500
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13439 - Team Plugin
The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
PLUGIN
Team
CVE-2024-13439
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-10581 - Directorypress Plugin
The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfl_listingStatusChange() function. This makes it possible for unauthenticated attackers to update listing statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Directorypress
CVE-2024-10581
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13752 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition.
PLUGIN
Wp Project Manager
CVE-2024-13752
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-1005 - Elementskit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion widget in all versions up to, and including, 3.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit Elementor Addons
CVE-2025-1005
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2025-0935 - Media Library Folders Plugin
The Media Library Folders plugin for WordPress is vulnerable to unauthorized plugin settings change due to a missing capability check on several AJAX actions in all versions up to, and including, 8.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to change plugin settings related to things such as IP-blocking.
PLUGIN
Media Library Folders
CVE-2025-0935
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13563 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's forgot-password shortcode in all versions up to, and including, 3.2.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Front End Users
CVE-2024-13563
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13525 - Customer Email Verification For Woocommerce Plugin
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user.
PLUGIN
Customer Email Verification For Woocommerce
CVE-2024-13525
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13306 - Maps Plugin Using Google Maps For Wordpress
The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Maps Plugin Using Google Maps For Wordpress
CVE-2024-13306
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13208 - Maps Plugin Using Google Maps For Wordpress
The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Maps Plugin Using Google Maps For Wordpress
CVE-2024-13208
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2025-0821 - Bit Assist Plugin
Bit Assist plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Bit Assist
CVE-2025-0821
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13791 - Bit Assist Plugin
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bit Assist
CVE-2024-13791
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13735 - Hurrytimer Plugin
The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping of a campaign name. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hurrytimer
CVE-2024-13735
Risk Score