Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-22
CVE-2024-13768 - Cits Support Svg Webp Media Upload Plugin
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_assign_fonts_tab() function. This makes it possible for unauthenticated attackers to delete font assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Cits Support Svg Webp Media Upload
CVE-2024-13768
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-0724 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.4.5 via deserialization of untrusted input in the get_user_meta_fields_html function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an…
PLUGIN
Profilegrid
CVE-2025-0724
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-0723 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind and time-based SQL Injections via the rid and search parameters in all versions up to, and including, 5.9.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Profilegrid
CVE-2025-0723
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1408 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.
PLUGIN
Profilegrid
CVE-2025-1408
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13739 - Newsletters Plugin
The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
PLUGIN
Newsletters
CVE-2024-13739
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13737 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2024-13737
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2539 - File Away Plugin
The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers, leveraging the use of a reversible weak algorithm, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
File Away
CVE-2025-2539
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2025-1802 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.
PLUGIN
Ht Mega
CVE-2025-1802
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13923 - Order Export Order Import For Woocommerce Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.0 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Order Export Order Import For Woocommerce
CVE-2024-13923
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13558 - Np Quote Request For Woocommerce Plugin
The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to read the content of quote requests.
PLUGIN
Np Quote Request For Woocommerce
CVE-2024-13558
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13921 - Order Export Order Import For Woocommerce Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an…
PLUGIN
Order Export Order Import For Woocommerce
CVE-2024-13921
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13920 - Order Export Order Import For Woocommerce Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Order Export Order Import For Woocommerce
CVE-2024-13920
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13922 - Order Export Order Import For Woocommerce Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
PLUGIN
Order Export Order Import For Woocommerce
CVE-2024-13922
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-2505 - Age Gate Plugin
The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Age Gate
CVE-2025-2505
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-2108 - 140+ Widgets | Xpro Addons For Elementor – FREE Plugin
The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
140+ Widgets | Xpro Addons For Elementor – FREE
CVE-2025-2108
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-1770 - Eventin Plugin
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Eventin
CVE-2025-1770
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13881 - Linkmyposts Plugin
The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Linkmyposts
CVE-2024-13881
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13880 - My Quota Plugin
The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
My Quota
CVE-2024-13880
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13878 - Spotbot Plugin
The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Spotbot
CVE-2024-13878
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13877 - Passbeemedia Web Push Notification Plugin
The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Passbeemedia Web Push Notification
CVE-2024-13877
Risk Score