Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-11
CVE-2025-1766 - Eventin Plugin
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.
PLUGIN
Eventin
CVE-2025-1766
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-1314 - Custom Twitter Feeds – A Tweets Widget or X Feed Widget Plugin
The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Custom Twitter Feeds – A Tweets Widget or X Feed Widget
CVE-2025-1314
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13876 - Meintopf Plugin
The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Meintopf
CVE-2024-13876
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-13875 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Pmanager
CVE-2024-13875
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2512 - File Away Plugin
The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
File Away
CVE-2025-2512
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13933 - Delivery Restaurant Directory Wordpress Theme
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such…
THEME
Delivery Restaurant Directory Wordpress Theme
CVE-2024-13933
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-2511 - AHAthat Plugin
The AHAthat Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
AHAthat Plugin
CVE-2025-2511
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13442 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.
PLUGIN
Service Finder Bookings
CVE-2024-13442
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12920 - Delivery Restaurant Directory Wordpress Theme
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
THEME
Delivery Restaurant Directory Wordpress Theme
CVE-2024-12920
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13790 - High Converting Ecommerce Wordpress Theme
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
High Converting Ecommerce Wordpress Theme
CVE-2024-13790
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13410 - WordPress Core
The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via…
CORE
WordPress Core
CVE-2024-13410
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13412 - Cozystay Theme
The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
THEME
Cozystay
CVE-2024-13412
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12922 - Altair Theme
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Altair
CVE-2024-12922
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2025-1232 - Site Reviews Plugin
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
PLUGIN
Site Reviews
CVE-2025-1232
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-2290 - Lifterlms Plugin
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.
PLUGIN
Lifterlms
CVE-2025-2290
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12295 - Boombox Theme Extensions Plugin
The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Boombox Theme Extensions
CVE-2024-12295
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2024-12563 - S2member Pro Plugin
The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
PLUGIN
S2member Pro
CVE-2024-12563
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2025-2262 - Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation Plugin
The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation
CVE-2025-2262
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1624 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1624
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1623 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1623
Risk Score