Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-24
CVE-2024-13800 - Convertplus Plugin
The ConvertPlus plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cp_dismiss_notice' AJAX endpoint in all versions up to, and including, 3.5.30. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values…
PLUGIN
Convertplus
CVE-2024-13800
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13656 - Click Mag Plugin
The Click Mag - Viral WordPress News Magazine/Blog Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up to, and including, 3.6.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
PLUGIN
Click Mag
CVE-2024-13656
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13769 - Puzzles Plugin
The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'theme_options_ajax_post_action' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and inject malicious web scripts. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software.
PLUGIN
Puzzles
CVE-2024-13769
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13665 - Admire Extra Plugin
The Admire Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'space' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Admire Extra
CVE-2024-13665
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13658 - Ngg Smart Image Search Plugin
The NGG Smart Image Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hr_SIS_nextgen_searchbox' shortcode in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ngg Smart Image Search
CVE-2024-13658
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13421 - Real Estate 7 Plugin
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to register a new administrative user account.
PLUGIN
Real Estate 7
CVE-2024-13421
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13653 - Zoxpress Plugin
The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' function in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Zoxpress
CVE-2024-13653
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13654 - Zoxpress Plugin
The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'reset_options' function in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
PLUGIN
Zoxpress
CVE-2024-13654
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-11746 - Woocommerce Brands Plugin
The Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_brand' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce Brands
CVE-2024-11746
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-12164 - Wpsyncsheets Plugin
The WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsslwp_reset_settings() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.
PLUGIN
Wpsyncsheets
CVE-2024-12164
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13701 - Liveticker Plugin
The Liveticker (by stklcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'liveticker' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Liveticker
CVE-2024-13701
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13749 - Stafflist Plugin
The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Stafflist
CVE-2024-13749
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13554 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reorder_route() function in all versions up to, and including, 3.0.13. This makes it possible for unauthenticated attackers to reorder posts.
PLUGIN
Wp Extended
CVE-2024-13554
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13539 - Aforms Eats Plugin
The AForms Eats plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.3.1. This is due the /vendor/aura/payload-interface/phpunit.php file being publicly accessible and displaying error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Aforms Eats
CVE-2024-13539
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2025-0808 - Houzez Property Feed Plugin
The Houzez Property Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.21. This is due to missing or incorrect nonce validation on the "deleteexport" action. This makes it possible for unauthenticated attackers to delete property feed exports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Houzez Property Feed
CVE-2025-0808
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13541 - Adirectory Plugin
The aDirectory – WordPress Directory Listing Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the adqs_delete_listing() function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
PLUGIN
Adirectory
CVE-2024-13541
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2025-0862 - SuperSaaS – online appointment scheduling Plugin
The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).
PLUGIN
SuperSaaS – online appointment scheduling
CVE-2025-0862
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-13506 - Geodirectory Plugin
The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the display_name profile parameter in all versions up to, and including, 2.8.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Geodirectory
CVE-2024-13506
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-13643 - Magazine Theme Plugin
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration,…
PLUGIN
Magazine Theme
CVE-2024-13643
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2025-0181 - Wp Foodbakery Plugin
The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
PLUGIN
Wp Foodbakery
CVE-2025-0181
Risk Score