Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-26
CVE-2024-5444 - Bible Text Plugin
The Bible Text WordPress plugin through 0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Bible Text
CVE-2024-5444
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4655 - Ultimate Blocks Plugin
The Ultimate Blocks WordPress plugin before 3.1.9 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Ultimate Blocks
CVE-2024-4655
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6554 - Branda Plugin
The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Branda
CVE-2024-6554
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6397 - Instawp Connect Plugin
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
PLUGIN
Instawp Connect
CVE-2024-6397
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0619 - Payment Gateway Plugin
The Payflex Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the payment_callback() function in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to update the status of orders, which can potentially lead to revenue loss.
PLUGIN
Payment Gateway
CVE-2024-0619
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6210 - Duplicator Plugin
The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
PLUGIN
Duplicator
CVE-2024-6210
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6447 - Full Customer Plugin
The FULL – Cliente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the license plan parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping as well as missing authorization and capability checks on the related functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrative user accesses wp-admin dashboard
PLUGIN
Full Customer
CVE-2024-6447
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6556 - Seo Optimizer Plugin
The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.10.8. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Seo Optimizer
CVE-2024-6556
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5664 - Mp3 Audio Player For Music Radio Podcast Plugin
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute within the plugin's sonaar_audioplayer shortcode in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mp3 Audio Player For Music Radio Podcast
CVE-2024-5664
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6813 - Login By Auth0 Plugin
The Login by Auth0 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wle’ parameter in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Login By Auth0
CVE-2023-6813
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-6411 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the 'pm_upload_image' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator.
PLUGIN
Profilegrid
CVE-2024-6411
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-6410 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user.
PLUGIN
Profilegrid
CVE-2024-6410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6550 - Gravity Forms Multiple Form Instances Plugin
The Gravity Forms: Multiple Form Instances plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.1. This is due to the plugin leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Gravity Forms Multiple Form Instances
CVE-2024-6550
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5792 - Houzez Crm Plugin
The Houzez CRM plugin for WordPress is vulnerable to time-based SQL Injection via the notes ‘belong_to’ parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Houzez Crm
CVE-2024-5792
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-4866 - Ultraaddons Elementor Lite Plugin
The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultraaddons Elementor Lite
CVE-2024-4866
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5677 - Featured Image Generator Plugin
The Featured Image Generator plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the fig_save_after_generate_image function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary images to a post-related gallery.
PLUGIN
Featured Image Generator
CVE-2024-5677
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-7062 - Advanced File Manager Shortcodes Plugin
The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4. This makes it possible for attackers with contributor access or higher to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Advanced File Manager Shortcodes
CVE-2023-7062
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-7061 - Advanced File Manager Shortcodes Plugin
The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers with contributor access or above to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Advanced File Manager Shortcodes
CVE-2023-7061
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6391 - Oik Plugin
The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bw_button shortcode in all versions up to, and including, 4.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Oik
CVE-2024-6391
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-37499 - Online Booking Scheduling Calendar Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Path Traversal.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.2.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-37499
Risk Score