Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-28
CVE-2025-1657 - Ulisting Plugin
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the stm_listing_ajax AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update post meta data and inject PHP Objects that may be unserialized.
PLUGIN
Ulisting
CVE-2025-1657
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1653 - Ulisting Plugin
The Directory Listings WordPress plugin – uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. This is due to the stm_listing_profile_edit AJAX action not having enough restriction on the user meta that can be updated. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Ulisting
CVE-2025-1653
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-2232 - Realteo Plugin
The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
PLUGIN
Realteo
CVE-2025-2232
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13773 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys.
PLUGIN
Civi
CVE-2024-13773
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-13771 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.
PLUGIN
Civi
CVE-2024-13771
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-12810 - Jobcareer Plugin
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.
PLUGIN
Jobcareer
CVE-2024-12810
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-13772 - Civi Plugin
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.
PLUGIN
Civi
CVE-2024-13772
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1507 - Dashboard For Google Analytics Plugin
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features.
PLUGIN
Dashboard For Google Analytics
CVE-2025-1507
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1526 - Dethemekit For Elementor
The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Dethemekit For Elementor
CVE-2025-1526
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13321 - Analyticswp Plugin
The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Analyticswp
CVE-2024-13321
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13407 - Omnipress Plugin
The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Omnipress
CVE-2024-13407
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2221 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpcom Member
CVE-2025-2221
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13824 - Ciyashop Plugin
The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…
PLUGIN
Ciyashop
CVE-2024-13824
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2103 - Soundrise Plugin
The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Soundrise
CVE-2025-2103
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2289 - Zegen Plugin
The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
PLUGIN
Zegen
CVE-2025-2289
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13913 - Instawp Connect Plugin
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Instawp Connect
CVE-2024-13913
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-0952 - Eco Nature - Environment & Ecology WordPress Theme
The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
THEME
Eco Nature - Environment & Ecology WordPress Theme
CVE-2025-0952
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1764 - LoginPress | wp-login Custom Login Page Customizer Plugin
The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user…
PLUGIN
LoginPress | wp-login Custom Login Page Customizer
CVE-2025-1764
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13376 - Industrial Theme
The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Industrial
CVE-2024-13376
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2025-2056 - Hide My Wp Ghost Plugin
The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
PLUGIN
Hide My Wp Ghost
CVE-2025-2056
Risk Score