Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-04
CVE-2024-32674 - Heateor Social Login Plugin
Heateor Social Login WordPress prior to 1.1.32 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.
PLUGIN
Heateor Social Login
CVE-2024-32674
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4393 - Social Connect Plugin
The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Social Connect
CVE-2024-4393
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6810 - Clickcease Click Fraud Protection Plugin
The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the get_settings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to retrieve the plugin's configured API keys.
PLUGIN
Clickcease Click Fraud Protection
CVE-2023-6810
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4346 - Startklar Elementor Addons Plugin
The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
PLUGIN
Startklar Elementor Addons
CVE-2024-4346
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4345 - Startklar Elementor Addons Plugin
The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process' function in the 'startklarDropZoneUploadProcess' class in versions up to, and including, 1.7.13. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Startklar Elementor Addons
CVE-2024-4345
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4186 - Build App Online Plugin
The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the 'eb_user_email_verification_key' default value is empty, and the not empty check is missing in the 'eb_user_email_verify' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This can only be exploited if the 'Email Verification' setting is enabled.
PLUGIN
Build App Online
CVE-2024-4186
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2024-3628 - Easyevent Plugin
The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Easyevent
CVE-2024-3628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6854 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Breakdance
CVE-2023-6854
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-3756 - Mf Gig Calendar Plugin
The MF Gig Calendar WordPress plugin through 1.2.1 does not have CSRF checks in some places, which could allow attackers to make logged in Contributors and above delete arbitrary events via a CSRF attack
PLUGIN
Mf Gig Calendar
CVE-2024-3756
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-3755 - Mf Gig Calendar Plugin
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Mf Gig Calendar
CVE-2024-3755
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3752 - Crelly Slider Plugin
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Crelly Slider
CVE-2024-3752
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-0904 - Fancy Product Designer Plugin
The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Fancy Product Designer
CVE-2024-0904
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-7065 - Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms Plugin
The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
CVE-2023-7065
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1050 - Import Users From Csv With Meta Plugin
The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets.
PLUGIN
Import Users From Csv With Meta
CVE-2024-1050
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3240 - Convertplug Plugin
The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Convertplug
CVE-2024-3240
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3237 - Convertplug Plugin
The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to true.
PLUGIN
Convertplug
CVE-2024-3237
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3868 - Folders Pro Plugin
The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Folders Pro
CVE-2024-3868
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33931 - WordPress Core
Missing Authorization vulnerability in ilGhera JW Player for WordPress.This issue affects JW Player for WordPress: from n/a through 2.3.3.
CORE
WordPress Core
CVE-2024-33931
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33937 - WordPress Core
Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through 2.1.13.
CORE
WordPress Core
CVE-2024-33937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33941 - WordPress Core
Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through 1.8.1.
CORE
WordPress Core
CVE-2024-33941
Risk Score