Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-26
CVE-2024-1596 - Ninja Forms File Uploads Plugin
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ninja Forms File Uploads
CVE-2024-1596
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8538 - Big File Uploads Plugin
The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an…
PLUGIN
Big File Uploads
CVE-2024-8538
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6849 - Preloader Plus Plugin
The Preloader Plus – WordPress Loading Screen Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Preloader Plus
CVE-2024-6849
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8428 - Forumwp Plugin
The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address of administrative user accounts which can then be leveraged to reset the administrative users password and gain access to their account.
PLUGIN
Forumwp
CVE-2024-8428
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7611 - Enter Addons Plugin
The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute of the Events Card widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Enter Addons
CVE-2024-7611
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7599 - Advanced Sermons Plugin
The Advanced Sermons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sermon_video_embed’ parameter in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Sermons
CVE-2024-7599
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7622 - Revision Manager Tmc Plugin
The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to send emails with arbitrary content to any individual through the vulnerable web server.
PLUGIN
Revision Manager Tmc
CVE-2024-7622
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7493 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration.
PLUGIN
Wpcom Member
CVE-2024-7493
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-8292 - Wp Recall Plugin
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit.
PLUGIN
Wp Recall
CVE-2024-8292
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-8317 - Wp Adcenter Plugin
The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ad_alignment’ attribute in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Adcenter
CVE-2024-8317
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-8427 - Frontend Post Submission Manager Plugin
The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and forms.
PLUGIN
Frontend Post Submission Manager
CVE-2024-8427
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-7349 - Lifterlms Plugin
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to blind SQL Injection via the 'order' parameter in all versions up to, and including, 7.7.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Lifterlms
CVE-2024-7349
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6792 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page.
PLUGIN
Before 4
CVE-2024-6792
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8480 - Sirv Plugin
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sirv_save_prevented_sizes' function in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to exploit the 'sirv_upload_file_by_chunks_callback' function, which lacks proper file type validation, allowing attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Sirv
CVE-2024-8480
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8247 - Newsletters Plugin
The Newsletters plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 4.9.9.2. This is due to the plugin not restricting what user meta can be updated as screen options. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator. Please note that this only affects users with access to edit/update screen options, which means an administrator would need to grant lower privilege users with access to the Sent & Draft Emails page of…
PLUGIN
Newsletters
CVE-2024-8247
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-7415 - Remember Me Controls Plugin
The Remember Me Controls plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.1. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Remember Me Controls
CVE-2024-7415
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-7381 - Geo Controller Plugin
The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.
PLUGIN
Geo Controller
CVE-2024-7381
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-7605 - Helloasso Plugin
The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service.
PLUGIN
Helloasso
CVE-2024-7605
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-7380 - Geo Controller Plugin
The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus.
PLUGIN
Geo Controller
CVE-2024-7380
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-6929 - Dynamic Featured Image Plugin
The Dynamic Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘dfiFeatured’ parameter in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dynamic Featured Image
CVE-2024-6929
Risk Score