Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-19
CVE-2024-12626 - Custom Integrations In Wordpress Plugin
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. When used in conjunction with the plugin's import and code action feature, this vulnerability…
PLUGIN
Custom Integrations In Wordpress
CVE-2024-12626
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12331 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.
PLUGIN
Filester
CVE-2024-12331
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12560 - Button Block Plugin
The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts.
PLUGIN
Button Block
CVE-2024-12560
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-11768 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.
PLUGIN
Download Manager
CVE-2024-11768
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-11740 - The Download Manager Plugin
The The Download Manager plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.03. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Download Manager
CVE-2024-11740
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10548 - Wp Project Manager Plugin
The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.15 via the Project Task List ('/wp-json/pm/v2/projects/1/task-lists') REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the hashed passwords of project owners (e.g. adminstrators).
PLUGIN
Wp Project Manager
CVE-2024-10548
Risk Score
Threat Entry
Updated 2024-12-19
CVE-2024-12121 - Finder Plugin
The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Finder
CVE-2024-12121
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-11926 - Travel Booking Wordpress Theme
The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_item', '_st_partner_approve_booking', 'save_order_item', and '__userDenyEachInfo' functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information.
THEME
Travel Booking Wordpress Theme
CVE-2024-11926
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-11912 - Travel Booking Wordpress Theme
The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘order_id’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
THEME
Travel Booking Wordpress Theme
CVE-2024-11912
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11291 - Membership Content Restriction Paid Member Subscriptions Plugin
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
PLUGIN
Membership Content Restriction Paid Member Subscriptions
CVE-2024-11291
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12454 - Slicewp Affiliates Plugin
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Slicewp Affiliates
CVE-2024-12454
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12554 - Peters Custom Anti Spam Image Plugin
The Peter’s Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing nonce validation on the cas_register_post() function. This makes it possible for unauthenticated attackers to blacklist emails via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Peters Custom Anti Spam Image
CVE-2024-12554
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12340 - Animation Addons For Elementor Plugin
The Animation Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the 'render' function in widgets/content-slider.php and widgets/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
Animation Addons For Elementor
CVE-2024-12340
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12287 - Biagiotti Membership Plugin
The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, such as administrators, granted they have access to an email.
PLUGIN
Biagiotti Membership
CVE-2024-12287
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-11295 - Simple Page Access Restriction Plugin
The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
PLUGIN
Simple Page Access Restriction
CVE-2024-11295
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10892 - Cost Calculator Builder Plugin
The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
PLUGIN
Cost Calculator Builder
CVE-2024-10892
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12449 - Turnkey Video Site Builder Script Plugin
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_player_html' shortcode in all versions up to, and including, 2.6.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Turnkey Video Site Builder Script
CVE-2024-12449
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-12596 - Lifterlms Plugin
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post deletion due to a missing capability check on the 'llms_delete_cert' action in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
PLUGIN
Lifterlms
CVE-2024-12596
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12259 - Repairbuddy Plugin
The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Repairbuddy
CVE-2024-12259
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12432 - Wpc Shop As A Customer For Woocommerce Plugin
The WPC Shop as a Customer for WooCommerce plugin for WordPress is vulnerable to account takeover and privilege escalation in all versions up to, and including, 1.2.8. This is due to the 'generate_key' function not producing a sufficiently random value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as site administrators, granted they have triggered the ajax_login() function which generates a unique key that can be used to log in.
PLUGIN
Wpc Shop As A Customer For Woocommerce
CVE-2024-12432
Risk Score