Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-19
CVE-2025-0859 - Post And Page Builder Plugin
The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Post And Page Builder
CVE-2025-0859
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13487 - Woo Multi Currency Plugin
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Woo Multi Currency
CVE-2024-13487
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-0522 - Likebot Plugin
The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Likebot
CVE-2025-0522
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13829 - Tripetto Plugin
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the 'attachments.php' file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.
PLUGIN
Tripetto
CVE-2024-13829
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2025-1028 - Contact Manager Plugin
The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in order to exploit.
PLUGIN
Contact Manager
CVE-2025-1028
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13699 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.8.5, 1.8.6, and 1.8.7.
PLUGIN
Qi Addons For Elementor
CVE-2024-13699
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13529 - Socialv Social Network And Community Buddypress Theme
The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialv_send_download_file' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system.
THEME
Socialv Social Network And Community Buddypress Theme
CVE-2024-13529
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13733 - Skt Blocks Plugin
The SKT Blocks – Gutenberg based Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's skt-blocks/post-carousel block in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Skt Blocks
CVE-2024-13733
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13510 - Shopsite Plugin
The ShopSite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Shopsite
CVE-2024-13510
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13356 - Dsgvo All In One For Wp Plugin
The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the user_remove_form.php file. This makes it possible for unauthenticated attackers to delete admin user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Dsgvo All In One For Wp
CVE-2024-13356
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-13403 - Wpforms Plugin
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpforms
CVE-2024-13403
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13514 - B Slider Gutenberg Slider Block For Wp Plugin
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
PLUGIN
B Slider Gutenberg Slider Block For Wp
CVE-2024-13514
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-12046 - Medical Addon For Elementor Plugin
The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.
PLUGIN
Medical Addon For Elementor
CVE-2024-12046
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-12597 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Mega
CVE-2024-12597
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13607 - Js Support Ticket Plugin
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.
PLUGIN
Js Support Ticket
CVE-2024-13607
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-0368 - Banner Garden Plugin
The Banner Garden Plugin for WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users.
PLUGIN
Banner Garden
CVE-2025-0368
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2025-0466 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
PLUGIN
Before 4
CVE-2025-0466
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13330 - Justrows Free Plugin
The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Justrows Free
CVE-2024-13330
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13329 - Solidres Plugin
The Solidres WordPress plugin through 0.9.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Solidres
CVE-2024-13329
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13332 - Transfinanz Plugin
The TransFinanz WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Transfinanz
CVE-2024-13332
Risk Score