Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-05
CVE-2024-8682 - Jnews Wordpress Newspaper Magazine Blog Amp Theme
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled.
THEME
Jnews Wordpress Newspaper Magazine Blog Amp Theme
CVE-2024-8682
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0990 - I Am Gloria Plugin
The I Am Gloria plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.4. This is due to missing or incorrect nonce validation on the iamgloria23_gloria_settings_page function. This makes it possible for unauthenticated attackers to reset the tenant ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
I Am Gloria
CVE-2025-0990
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0370 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Ultimate
CVE-2025-0370
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0958 - Ultimate Auction Plugin
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.
PLUGIN
Ultimate Auction
CVE-2025-0958
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0512 - Structured Content Plugin
The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Structured Content
CVE-2025-0512
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2025-0433 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2025-0433
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-9618 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-9618
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-13724 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their own wallet balance, transfer balances between arbitrary users and initiate transfer requests from other users' wallets.
PLUGIN
Wallet System For Woocommerce
CVE-2024-13724
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-13682 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wallet System For Woocommerce
CVE-2024-13682
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13685 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10.
PLUGIN
Before 7
CVE-2024-13685
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1307 - Newscrunch Plugin
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Newscrunch
CVE-2025-1307
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1306 - Newscrunch Plugin
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Newscrunch
CVE-2025-1306
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-0912 - Givewp Plugin
The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
PLUGIN
Givewp
CVE-2025-0912
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1639 - Arolax Plugin
The Animation Addons for Elementor Pro plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_elementor_plugin_handler() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to further infect a victim when Elementor is not activated on a vulnerable site.
PLUGIN
Arolax
CVE-2025-1639
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1321 - Teachpress Plugin
The teachPress plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tpsearch' shortcode in all versions up to, and including, 9.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Teachpress
CVE-2025-1321
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13686 - Vw Storefront Theme
The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings.
THEME
Vw Storefront
CVE-2024-13686
Risk Score
Threat Entry
Updated 2025-03-03
CVE-2025-23843 - Human Resources Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphrmanager WP-HR Manager: The Human Resources Plugin for WordPress allows Reflected XSS. This issue affects WP-HR Manager: The Human Resources Plugin for WordPress: from n/a through 3.1.0.
PLUGIN
Human Resources
CVE-2025-23843
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1491 - Wp Posts Carousel Plugin
The WP Posts Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play_timeout’ parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Posts Carousel
CVE-2025-1491
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1404 - Secure Copy Content Protection And Content Locking Plugin
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search() function in all versions up to, and including, 4.4.7. This makes it possible for unauthenticated attackers to retrieve a list of registered user emails.
PLUGIN
Secure Copy Content Protection And Content Locking
CVE-2025-1404
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-13833 - Wordpress Gallery Plugin
The Album Gallery – WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or…
PLUGIN
Wordpress Gallery
CVE-2024-13833
Risk Score