Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-08-19
CVE-2024-43256 - WordPress Core
Missing Authorization vulnerability in nouthemes Leopard - WordPress offload media allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Leopard - WordPress offload media: from n/a through 2.0.36.
CORE
WordPress Core
CVE-2024-43256
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6843 - Chatbot With Chatgpt Plugin
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins
PLUGIN
Chatbot With Chatgpt
CVE-2024-6843
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6330 - Before 4 Plugin
The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.
PLUGIN
Before 4
CVE-2024-6330
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6451 - Ai Engine Plugin
AI Engine < 2.4.3 is susceptible to remote-code-execution (RCE) via Log Poisoning. The AI Engine WordPress plugin before 2.5.1 fails to validate the file extension of "logs_path", allowing Administrators to change log filetypes from .log to .php.
PLUGIN
Ai Engine
CVE-2024-6451
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-43335 - Responsive Blocks Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks – WordPress Gutenberg Blocks allows Stored XSS.This issue affects Responsive Blocks – WordPress Gutenberg Blocks: from n/a through 1.8.8.
PLUGIN
Responsive Blocks
CVE-2024-43335
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7703 - Armember Membership Plugin
The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.37 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Armember Membership
CVE-2024-7703
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-0714 - Metform Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations.
PLUGIN
Metform
CVE-2023-0714
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2023-5505 - Backwpup Plugin
The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to…
PLUGIN
Backwpup
CVE-2023-5505
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2023-3409 - Bricks Theme
The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'reset_settings' function. This makes it possible for unauthenticated attackers to reset the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Bricks
CVE-2023-3409
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2023-3408 - Bricks Theme
The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'save_settings' function. This makes it possible for unauthenticated attackers to modify the theme's settings, including enabling a setting which allows lower-privileged users such as contributors to perform code execution, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Bricks
CVE-2023-3408
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2023-4604 - 2j Slideshow Plugin
The Slideshow, Image Slider by 2J plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘post’ parameter in versions up to, and including, 1.3.54 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
2j Slideshow
CVE-2023-4604
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2023-4730 - LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… Plugin
The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to modify a variety of settings. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts.
PLUGIN
LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…
CVE-2023-4730
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2023-4507 - Admission Appmanager Plugin
The Admission AppManager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Admission Appmanager
CVE-2023-4507
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2023-4027 - Radio Player Plugin
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Radio Player
CVE-2023-4027
Risk Score
Threat Entry
Updated 2024-08-28
CVE-2023-4025 - Radio Player Plugin
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances.
PLUGIN
Radio Player
CVE-2023-4025
Risk Score
Threat Entry
Updated 2024-08-28
CVE-2023-4024 - Radio Player Plugin
The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances.
PLUGIN
Radio Player
CVE-2023-4024
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2023-1604 - Short Url Plugin
The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import redirects, including comments containing cross-site scripting as detailed in CVE-2023-1602, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Short Url
CVE-2023-1604
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6459 - News Element Elementor Blog Magazine Plugin
The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
News Element Elementor Blog Magazine
CVE-2024-6459
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-6500 - Inpost For Woocommerce Plugin
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
PLUGIN
Inpost For Woocommerce
CVE-2024-6500
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-7145 - Jetelements Plugin
The JetElements plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.20 via the 'progress_type' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Jetelements
CVE-2024-7145
Risk Score