Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-6569 - Forms For Campaign Monitor Plugin
The Campaign Monitor for WordPress plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.8.15. This is due the plugin not properly restricting direct access to /forms/views/admin/create.php and display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Forms For Campaign Monitor
CVE-2024-6569
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2024-5969 - Aiomatic Plugin
The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the email recipient and the content in the 'aiomatic_send_email' function which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.
PLUGIN
Aiomatic
CVE-2024-5969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6634 - Mastercurrency Wp Plugin
The Master Currency WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currencyconverterform shortcode in all versions up to, and including, 1.1.61 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mastercurrency Wp
CVE-2024-6634
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6591 - Ultimate Auction Plugin
The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized email creation and sending due to a missing capability check on the 'send_auction_email_callback' and 'resend_auction_email_callback' functions in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to craft emails that include links and send to any email address.
PLUGIN
Ultimate Auction
CVE-2024-6591
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6661 - Parity Pricing With Discount Rules Plugin
The ParityPress – Parity Pricing with Discount Rules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Discount Text' in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Parity Pricing With Discount Rules
CVE-2024-6661
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6573 - Intelligence Plugin
The Intelligence plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.0. This is due the plugin not preventing direct access to the /vendor/levelten/intel/realtime/index.php file and display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Intelligence
CVE-2024-6573
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6566 - Aramex Shipping Woocommerce Plugin
The Aramex Shipping WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.21. This is due the plugin not preventing direct access to the composer-setup.php file which also has display_errors enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Aramex Shipping Woocommerce
CVE-2024-6566
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6549 - Admin Post Navigation Plugin
The Admin Post Navigation plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Admin Post Navigation
CVE-2024-6549
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6548 - Add Admin Javascript Plugin
The Add Admin JavaScript plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Add Admin Javascript
CVE-2024-6548
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6547 - Add Admin Css Plugin
The Add Admin CSS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Add Admin Css
CVE-2024-6547
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6546 - One Click Close Comments Plugin
The One Click Close Comments plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.7.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
One Click Close Comments
CVE-2024-6546
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6431 - Media Net Ads Manager Plugin
The Media.net Ads Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and missing capability check in the 'sendMail' function in all versions up to, and including, 2.10.13. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is only exploitable if anyone has ever logged in through the API.
PLUGIN
Media Net Ads Manager
CVE-2024-6431
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6152 - Flipbox Builder Plugin
The Flipbox Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5 via deserialization of untrusted input in the flipbox_builder_Flipbox_ShortCode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Flipbox Builder
CVE-2024-6152
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4410 - Ignitiondeck Plugin
The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others.
PLUGIN
Ignitiondeck
CVE-2024-4410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6545 - Admin Trim Interface Plugin
The Admin Trim Interface plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Admin Trim Interface
CVE-2024-6545
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1804 - Tutor Lms Migration Tool Plugin
The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses.
PLUGIN
Tutor Lms Migration Tool
CVE-2024-1804
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1798 - Tutor Lms Migration Tool Plugin
The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses.
PLUGIN
Tutor Lms Migration Tool
CVE-2024-1798
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6490 - Master Slider Plugin
During testing of the Master Slider WordPress plugin through 3.9.10, a CSRF vulnerability was found, which allows an unauthorized user to manipulate requests on behalf of the victim and thereby delete all of the sliders inside Master Slider WordPress plugin through 3.9.10.
PLUGIN
Master Slider
CVE-2024-6490
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6589 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Learnpress
CVE-2024-6589
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5818 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored DOM-based Cross-Site Scripting via the plugin's Magazine Grid/Slider widget in all versions up to, and including, 1.3.980 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-5818
Risk Score