Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-05
CVE-2024-5667 - Wp Featherlight Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Featherlight.js JavaScript library (versions 1.7.13 to 1.7.14) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Featherlight
CVE-2024-5667
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13839 - Staff Directory Pro Plugin
The Staff Directory Plugin: Company Directory plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Staff Directory Pro
CVE-2024-13839
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13809 - Hero Slider Wordpress Slider Plugin
The Hero Slider - WordPress Slider Plugin plugin for WordPress is vulnerable to SQL Injection via several parameters in all versions up to, and including, 1.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Hero Slider Wordpress Slider
CVE-2024-13809
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13811 - Food Delivery Woocommerce Theme
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site.
THEME
Food Delivery Woocommerce Theme
CVE-2024-13811
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13810 - Zass Woocommerce Theme For Handmade Artists And Artisans
The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site.
THEME
Zass Woocommerce Theme For Handmade Artists And Artisans
CVE-2024-13810
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13787 - Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin…
THEME
Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
CVE-2024-13787
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13780 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the hmenu_delete_menu() function in all versions up to, and including, 1.16.5. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13780
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13779 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'index' parameter in all versions up to, and including, 1.16.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13779
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13777 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.91 via deserialization of untrusted input from the 'margs' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Zoomsounds
CVE-2024-13777
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13778 - Hero Mega Menu Responsive Wordpress Menu Plugin
The Hero Mega Menu - Responsive WordPress Menu Plugin plugin for WordPress is vulnerable to SQL Injection via several functions in all versions up to, and including, 1.16.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Hero Mega Menu Responsive Wordpress Menu
CVE-2024-13778
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13232 - Export Wordpress Data Plugin
The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.
PLUGIN
Export Wordpress Data
CVE-2024-13232
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13757 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_layer shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-13757
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13747 - Woomail Woocommerce Email Customizer Plugin
The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'template_delete_saved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject SQL into an existing post deletion query.
PLUGIN
Woomail Woocommerce Email Customizer
CVE-2024-13747
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12815 - Point Maker Plugin
The Point Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'point_maker' shortcode in all versions up to, and including, 0.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Point Maker
CVE-2024-12815
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-11731 - Master Slider Plugin
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ms_slider shortcode in all versions up to, and including, 3.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Slider
CVE-2024-11731
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1008 - Recently Purchased Products For Woo Plugin
The Recently Purchased Products For Woo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘view’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recently Purchased Products For Woo
CVE-2025-1008
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1435 - Bbpress Plugin
The bbPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.11. This is due to missing or incorrect nonce validation on the bbp_user_add_role_on_register() function. This makes it possible for unauthenticated attackers to elevate their privileges to that of a bbPress Keymaster via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Rather than implementing a nonce check to provide protection against this vulnerability, which would break functionality, the plugin no longer…
PLUGIN
Bbpress
CVE-2025-1435
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13866 - Simple Notification Plugin
The Simple Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Simple Notification
CVE-2024-13866
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13350 - Searchiq Plugin
The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Searchiq
CVE-2024-13350
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13827 - Razorpay Subscription Button Elementor Plugin
The Razorpay Subscription Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg() and remove_query_arg() functions without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Razorpay Subscription Button Elementor
CVE-2024-13827
Risk Score