Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-24
CVE-2025-0428 - Aipower Plugin
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Aipower
CVE-2025-0428
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13361 - Aipower Plugin
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.
PLUGIN
Aipower
CVE-2024-13361
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13319 - Themify Builder Plugin
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Themify Builder
CVE-2024-13319
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13360 - Aipower Plugin
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Aipower
CVE-2024-13360
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12857 - Adforest Plugin
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.
PLUGIN
Adforest
CVE-2024-12857
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13406 - Xml For Google Merchant Center Plugin
The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xml For Google Merchant Center
CVE-2024-13406
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12117 - Stackable Plugin
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter of the Button block in all versions up to, and including, 3.13.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stackable
CVE-2024-12117
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12879 - Wpot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all versions up to, and including, 13.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create Simple Text Responses to chat queries.
PLUGIN
Wpot
CVE-2024-12879
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13590 - Ketchup Shortcodes Plugin
The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ketchup Shortcodes
CVE-2024-13590
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13584 - Picture Gallery Plugin
The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Picture Gallery
CVE-2024-13584
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13426 - Wp Polls Plugin
The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries. Those queries are stored and results are not displayed to the attacker, which means they cannot be exploited to obtain any additional information about the database. However, a properly configured payload allows for the injection…
PLUGIN
Wp Polls
CVE-2024-13426
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13091 - Wpot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The exploit requires thee ChatBot Conversational Forms plugin and the Conversational Form Builder Pro addon plugin.
PLUGIN
Wpot
CVE-2024-13091
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2025-22735 - WordPress Tag Cloud Plugin – Tag Groups
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups allows Reflected XSS. This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.4.
PLUGIN
WordPress Tag Cloud Plugin – Tag Groups
CVE-2025-22735
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-49333 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through 1.16.5.
CORE
WordPress Core
CVE-2024-49333
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-49303 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through 1.16.5.
CORE
WordPress Core
CVE-2024-49303
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-49300 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows Reflected XSS. This issue affects Hero Mega Menu - Responsive WordPress Menu Plugin: from n/a through 1.16.5.
CORE
WordPress Core
CVE-2024-49300
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-0450 - Betheme
The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Betheme
CVE-2025-0450
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-13444 - Wp Greet Plugin
The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Greet
CVE-2024-13444
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-13230 - Super Socializer Plugin
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Limited SQL Injection via the ‘SuperSocializerKey’ parameter in all versions up to, and including, 7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional values into the already existing query that can be used to extract user metadata from the database.
PLUGIN
Super Socializer
CVE-2024-13230
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-11226 - Facebook Like Send Button Plugin
The FireCask Like & Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Facebook Like Send Button
CVE-2024-11226
Risk Score