Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-30
CVE-2021-4451 - Ninjafirewall Plugin
The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall).
PLUGIN
Ninjafirewall
CVE-2021-4451
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2021-4447 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to and including 4.6.4 due to a lack of restrictions on who can add a registration form and a custom registration role to an Elementor created page. This makes it possible for attackers with access to the Elementor page builder to create a new registration form that defaults to the user role being set to administrator and subsequently register as an administrative user.
PLUGIN
Essential Addons For Elementor
CVE-2021-4447
Risk Score
Threat Entry
Updated 2024-10-30
CVE-2021-4448 - Kaswara Modern Vc Addons Plugin
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions such as importing data, uploading arbitrary files, deleting arbitrary files, and more.
PLUGIN
Kaswara Modern Vc Addons
CVE-2021-4448
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2021-4445 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to change arbitrary options with a restricted value of 1 on vulnerable WordPress sites.
PLUGIN
Premium Addons For Elementor
CVE-2021-4445
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2021-4446 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disclosure. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to perform many unauthorized actions such as changing settings and installing arbitrary plugins.
PLUGIN
Essential Addons For Elementor
CVE-2021-4446
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2021-4443 - QuadMenu – Mega Menu Plugin
The WordPress Mega Menu plugin for WordPress is vulnerable to Arbitrary File Creation in versions up to, and including, 2.0.6 via the compiler_save AJAX action. This makes it possible for unauthenticated attackers to create arbitrary PHP files that can be used to execute malicious code.
PLUGIN
QuadMenu – Mega Menu
CVE-2021-4443
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2021-4444 - product_filter Plugin
The Product Filter by WooBeWoo plugin for WordPress is vulnerable to authorization bypass in versions up to, and including 1.4.9 due to missing authorization checks on various functions. This makes it possible for unauthenticated attackers to perform unauthorized actions such as creating new filters and injecting malicious javascript into a vulnerable site. This was actively exploited at the time of discovery.
PLUGIN
product_filter
CVE-2021-4444
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9937 - Woo Manage Fraud Orders Plugin
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woo Manage Fraud Orders
CVE-2024-9937
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-9888 - Elementinvader Addons For Elementor Plugin
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementinvader Addons For Elementor
CVE-2024-9888
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9873 - Mobile App Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mobile App
CVE-2024-9873
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9652 - Locatoraid Store Locator Plugin
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Locatoraid Store Locator
CVE-2024-9652
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9891 - Multiline Files Upload For Contact Form 7 Plugin
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.
PLUGIN
Multiline Files Upload For Contact Form 7
CVE-2024-9891
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-9634 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.3 via deserialization of untrusted input from the give_company_name parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
PLUGIN
Givewp
CVE-2024-9634
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-9305 - Apppresser Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
PLUGIN
Apppresser
CVE-2024-9305
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9521 - Seo Manager Plugin
The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seo Manager
CVE-2024-9521
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9647 - Kama Spamblock Plugin
The Kama SpamBlock plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST values in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Kama Spamblock
CVE-2024-9647
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-9649 - Wp Ulike Plugin
The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or incorrect nonce validation on the wp_ulike_delete_history_api() function. This makes it possible for unauthenticated attackers to delete engagements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Ulike
CVE-2024-9649
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9105 - Ultimateai Plugin
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.8.3. This is due to insufficient verification on the user being supplied in the 'ultimate_ai_register_or_login_with_google' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Ultimateai
CVE-2024-9105
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-8787 - Smart Online Order For Clover Plugin
The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Smart Online Order For Clover
CVE-2024-8787
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9104 - Ultimateai Plugin
The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.
PLUGIN
Ultimateai
CVE-2024-9104
Risk Score