Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-01
CVE-2024-9217 - Currency Switcher Woocommerce Plugin
The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.16.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Currency Switcher Woocommerce
CVE-2024-9217
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-9212 - Sku For Woocommerce Plugin
The SKU Generator for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Sku For Woocommerce
CVE-2024-9212
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13568 - Fluent Support Plugin
The Fluent Support – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the 'fluent-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/fluent-support directory which can contain file attachments included in support tickets.
PLUGIN
Fluent Support
CVE-2024-13568
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-13559 - Templatesnext Toolkit Plugin
The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tx_woo_wishlist_table' shortcode in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Templatesnext Toolkit
CVE-2024-13559
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-13518 - Simplepress Plugin
The Simple:Press Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.10.11. This is due to missing or incorrect nonce validation on the 'sp_save_edited_post' function. This makes it possible for unauthenticated attackers to modify a forum post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simplepress
CVE-2024-13518
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2025-1780 - Buddypress Woocommerce My Account Integration Plugin
The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.25. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting.
PLUGIN
Buddypress Woocommerce My Account Integration
CVE-2025-1780
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13358 - Buddypress Woocommerce My Account Integration Plugin
The BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wc4bp_delete_page() function in all versions up to, and including, 3.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins page setting.
PLUGIN
Buddypress Woocommerce My Account Integration
CVE-2024-13358
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1319 - Site Mailer Plugin
The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Site Mailer
CVE-2025-1319
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-10860 - Nextmove Plugin
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to unauthorized submission of data due to a missing capability check on the _submit_uninstall_reason_action() function in all versions up to, and including, 2.19.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason on behalf of a site.
PLUGIN
Nextmove
CVE-2024-10860
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1570 - Directorist Plugin
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users…
PLUGIN
Directorist
CVE-2025-1570
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1662 - Url Media Uploader Plugin
The URL Media Uploader plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.0 via the 'url_media_uploader_url_upload' action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Url Media Uploader
CVE-2025-1662
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2025-1560 - Wow Entrance Effects Wee Plugin
The WOW Entrance Effects (WEE!) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wow Entrance Effects Wee
CVE-2025-1560
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-9193 - Whmcs Plugin
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers…
PLUGIN
Whmcs
CVE-2024-9193
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-8425 - Woocommerce Ultimate Gift Card Plugin
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Ultimate Gift Card
CVE-2024-8425
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-9195 - Whmcs Client Area Plugin
The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings case in the /admin/ajax.php file in all versions up to, and including, 4.3-revision-3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a…
PLUGIN
Whmcs Client Area
CVE-2024-9195
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-9019 - Secupress Plugin
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's secupress_check_ban_ips_form shortcode in all versions up to, and including, 2.2.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Secupress
CVE-2024-9019
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-8420 - Dhvc Form Plugin
The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.
PLUGIN
Dhvc Form
CVE-2024-8420
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13831 - Tabs For Woocommerce Plugin
The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs' function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or…
PLUGIN
Tabs For Woocommerce
CVE-2024-13831
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13638 - Order Attachments For Woocommerce Plugin
The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments added to orders.
PLUGIN
Order Attachments For Woocommerce
CVE-2024-13638
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-13851 - Modal Portfolio Plugin
The Modal Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Modal Portfolio
CVE-2024-13851
Risk Score