cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-13330,https://securityvulnerability.io/vulnerability/CVE-2024-13330,Reflected Cross-Site Scripting in JustRows Plugin for WordPress,"The JustRows plugin, version 0.2 and earlier, is vulnerable due to inadequate sanitization and escaping of parameters before rendering on web pages. This flaw allows attackers to inject malicious scripts through URL parameters, which can be executed in the context of high privilege users, including administrators. As a result, this vulnerability poses significant risks, enabling unauthorized actions and data exposure within WordPress sites.",WordPress,Justrows Free,7.1,HIGH,0.01,false,,false,false,true,2025-02-04T06:00:09.000Z,true,false,false,,2025-02-04T06:00:09.884Z,0
CVE-2024-13329,https://securityvulnerability.io/vulnerability/CVE-2024-13329,Reflected Cross-Site Scripting Vulnerability in Solidres WordPress Plugin,"The Solidres plugin for WordPress, up to version 0.9.4, is vulnerable to reflected cross-site scripting (XSS). This vulnerability arises from improper sanitization and escaping of a parameter before it is outputted on the page, which can be exploited by attackers to craft malicious URLs. Such crafted URLs can pose significant risks, especially when targeting users with high privileges, including admin accounts, potentially allowing attackers to execute arbitrary scripts in their browsers.",WordPress,Solidres,7.1,HIGH,0.01,false,,false,false,true,2025-02-04T06:00:09.000Z,true,false,false,,2025-02-04T06:00:09.485Z,0
CVE-2025-23588,https://securityvulnerability.io/vulnerability/CVE-2025-23588,Reflected XSS Vulnerability in WOW Best CSS Compiler by WOW,"The WOW Best CSS Compiler plugin for WordPress has a vulnerability that allows for reflected cross-site scripting (XSS). This issue occurs due to improper neutralization of user input during web page generation, potentially enabling attackers to execute arbitrary scripts in the context of the user's session. The vulnerability affects versions up to 2.0.2, emphasizing the need for timely updates and security measures to protect against potential exploitation.",Wow WordPress,Wow Best Css Compiler,7.1,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-02-03T14:22:42.896Z,0
CVE-2024-12708,https://securityvulnerability.io/vulnerability/CVE-2024-12708,Stored Cross-Site Scripting Vulnerability in Bulk Me Now! Plugin by WordPress,"The Bulk Me Now! WordPress plugin prior to version 2.0 contains a vulnerability due to inadequate validation and escaping of certain shortcode attributes. This oversight allows users with contributor roles and higher privileges to execute Stored Cross-Site Scripting (XSS) attacks. These attacks could lead to unauthorized scripts being run in the user's browser, potentially compromising user data and site integrity.",WordPress,Bulk Me Now!,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-30T06:00:10.000Z,true,false,false,,2025-01-30T06:00:10.821Z,0
CVE-2024-12638,https://securityvulnerability.io/vulnerability/CVE-2024-12638,Reflected Cross-Site Scripting Vulnerability in Bulk Me Now! WordPress Plugin,"The Bulk Me Now! WordPress plugin up to version 2.0 fails to properly sanitize and escape user input before rendering it on webpages. This oversight leads to reflected cross-site scripting (XSS) vulnerabilities, which pose significant risks, especially for high-privilege users like administrators. Malicious actors can exploit this vulnerability to inject harmful scripts, potentially compromising sensitive information and website integrity.",WordPress,Bulk Me Now!,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-30T06:00:09.000Z,true,false,false,,2025-01-30T06:00:09.593Z,0
CVE-2024-12400,https://securityvulnerability.io/vulnerability/CVE-2024-12400,Reflected Cross-Site Scripting Vulnerability in Tourmaster WordPress Plugin,"The Tourmaster WordPress plugin is susceptible to reflected Cross-Site Scripting due to improper escaping of generated URLs before they are rendered in attributes. This flaw potentially allows attackers to inject malicious scripts into web pages, affecting users who click on compromised links. Users of versions prior to 5.3.5 are particularly at risk, emphasizing the need for prompt updates to mitigate this security issue.",WordPress,Tourmaster,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-30T06:00:09.000Z,true,false,false,,2025-01-30T06:00:09.161Z,0
CVE-2024-12749,https://securityvulnerability.io/vulnerability/CVE-2024-12749,Reflected Cross-Site Scripting Vulnerability in Competition Form Plugin for WordPress,"The Competition Form plugin for WordPress, in versions up to 2.0, suffers from a vulnerability that allows reflected cross-site scripting due to improper sanitization and escaping of user-supplied parameters. This flaw can be exploited by malicious users to inject arbitrary scripts, particularly targeting high-privilege users like administrators, potentially compromising sensitive data and site integrity.",WordPress,Competition Form,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-29T06:00:07.000Z,true,false,false,,2025-01-29T06:00:07.835Z,0
CVE-2024-13448,https://securityvulnerability.io/vulnerability/CVE-2024-13448,Arbitrary File Upload Vulnerability in ThemeREX Addons Plugin for WordPress,"The ThemeREX Addons plugin for WordPress has a security flaw that allows for arbitrary file uploads due to insufficient file type validation in the 'trx_addons_uploads_save_data' function. This vulnerability affects all versions up to and including 2.32.3 and opens the door for unauthenticated attackers to potentially upload malicious files to the server of an affected site. Such an exploit can lead to serious security breaches, including remote code execution, putting user data and website integrity at risk.",WordPress,Themerex Addons,9.8,CRITICAL,0.000910000002477318,false,,false,false,false,,false,false,false,,2025-01-28T06:38:41.703Z,0
CVE-2024-13094,https://securityvulnerability.io/vulnerability/CVE-2024-13094,Reflected Cross-Site Scripting Vulnerability in WP Triggers Lite by WordPress,"A reflected cross-site scripting vulnerability has been identified in the WP Triggers Lite WordPress plugin, specifically in version 2.5.3. The plugin does not adequately sanitize and escape a certain parameter before rendering it on the page. This oversight opens the door for attackers to inject malicious scripts, particularly targeting high privilege users such as administrators. If exploited, this vulnerability could allow unauthorized access and manipulation of sensitive data within the affected applications.",WordPress,WP Triggers Lite,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:10.000Z,true,false,false,,2025-01-27T06:00:10.933Z,0
CVE-2024-13057,https://securityvulnerability.io/vulnerability/CVE-2024-13057,Stored XSS Vulnerability in Dyn Business Panel Plugin for WordPress,"The Dyn Business Panel WordPress plugin version 1.0.0 is vulnerable due to the absence of CSRF checks in certain functions, along with inadequate sanitization and escaping mechanisms. This flaw can permit attackers to exploit the vulnerability and inject Stored XSS payloads through CSRF attacks, potentially compromising the security of logged-in admin users. It is crucial for webmasters to update the plugin and implement necessary security measures to mitigate risks associated with this vulnerability.",WordPress,Dyn Business Panel,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:10.000Z,true,false,false,,2025-01-27T06:00:10.625Z,0
CVE-2024-13056,https://securityvulnerability.io/vulnerability/CVE-2024-13056,Reflected Cross-Site Scripting Vulnerability in Dyn Business Panel by WordPress,"The Dyn Business Panel WordPress plugin version 1.0.0 contains a vulnerability due to improper sanitization and escaping of user-supplied parameters. This oversight can lead to Reflected Cross-Site Scripting (XSS) attacks. If exploited, attackers could inject malicious scripts into pages viewed by high privilege users, including administrators, allowing for potential unauthorized actions and compromise of sensitive data.",WordPress,Dyn Business Panel,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:10.000Z,true,false,false,,2025-01-27T06:00:10.321Z,0
CVE-2024-13052,https://securityvulnerability.io/vulnerability/CVE-2024-13052,Reflected Cross-Site Scripting in Dental Optimizer Patient Generator App by WordPress,"The Dental Optimizer Patient Generator App for WordPress, in versions up to 1.0, contains a vulnerability where it fails to properly sanitize and escape a user-supplied parameter before displaying it on a webpage. This security oversight can facilitate Reflected Cross-Site Scripting (XSS) attacks, potentially allowing attackers to execute harmful scripts in the context of high-privilege users, including administrators. As a result, user session cookies and sensitive information could be compromised if exploited effectively.",WordPress,Dental Optimizer Patient Generator App,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:09.000Z,true,false,false,,2025-01-27T06:00:09.475Z,0
CVE-2024-12773,https://securityvulnerability.io/vulnerability/CVE-2024-12773,SQL Injection Vulnerability in Altra Side Menu WordPress Plugin,"The Altra Side Menu plugin for WordPress, up to version 2.0, is susceptible to SQL injection due to improper sanitization and escaping of user-supplied parameters in SQL statements. This flaw allows authenticated users, particularly admin roles, to manipulate SQL queries, potentially leading to unauthorized data access or alteration within the WordPress database. It highlights the necessity for secure coding practices to ensure the integrity of web applications.",WordPress,Altra Side Menu,7.2,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:06.000Z,true,false,false,,2025-01-27T06:00:06.982Z,0
CVE-2024-12321,https://securityvulnerability.io/vulnerability/CVE-2024-12321,Reflected Cross-Site Scripting in WC Affiliate WordPress Plugin,"The WC Affiliate plugin for WordPress, up to version 2.3.9, is vulnerable to reflected cross-site scripting (XSS). This flaw arises from the plugin's failure to properly sanitize and escape a parameter before rendering it on web pages. Attackers could exploit this vulnerability to inject malicious scripts that execute in the context of a user's browser, particularly impacting high-privilege users, such as administrators. By executing these scripts, attackers could gain unauthorized access to sensitive information or perform actions on behalf of the compromised users.",WordPress,Wc Affiliate,7.1,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-27T06:00:05.000Z,true,false,false,,2025-01-27T06:00:05.621Z,0
CVE-2025-0682,https://securityvulnerability.io/vulnerability/CVE-2025-0682,Local File Inclusion Vulnerability in ThemeREX Addons Plugin for WordPress,"The ThemeREX Addons plugin for WordPress suffers from a Local File Inclusion vulnerability that impacts all versions up to and including 2.33.0. This issue arises through the 'trx_sc_reviews' shortcode where the 'type' attribute can be manipulated by authenticated attackers with contributor-level permissions or higher. This manipulation allows attackers to include and execute arbitrary files on the web server, potentially leading to unauthorized access, exposure of sensitive information, and execution of arbitrary PHP code. As a result, effective access controls can be bypassed, posing significant risks to the integrity and security of affected WordPress installations.",Wordpress,Themerex Addons,8.8,HIGH,0.0005000000237487257,false,,false,false,false,,false,false,false,,2025-01-25T05:30:06.255Z,0
CVE-2025-24659,https://securityvulnerability.io/vulnerability/CVE-2025-24659,SQL Injection Vulnerability in WordPress Download Manager Premium Packages,"A vulnerability exists in the WordPress Download Manager Premium Packages that allows for Blind SQL Injection due to improper neutralization of special elements in SQL commands. This flaw impacts versions from n/a through 5.9.6, enabling attackers to execute unauthorized SQL queries leading to potential data breaches and manipulation.",Wordpress,Premium Packages,7.6,HIGH,0.0004299999854993075,false,,false,false,true,2025-01-31T10:01:49.000Z,true,false,false,,2025-01-24T17:24:44.883Z,0
CVE-2024-13545,https://securityvulnerability.io/vulnerability/CVE-2024-13545,Local File Inclusion Vulnerability in Bootstrap Ultimate Theme for WordPress,"The Bootstrap Ultimate theme for WordPress is subject to a Local File Inclusion vulnerability, affecting all versions up to and including 1.4.9. This flaw enables unauthenticated attackers to exploit the path parameter, which can lead to the inclusion of arbitrary PHP files from the server. By successfully leveraging this vulnerability, an attacker could bypass access controls, gain access to sensitive data, and even execute malicious PHP code. Moreover, if the php://filter wrapper is activated on the server, this vulnerability could facilitate direct Remote Code Execution, further amplifying the threat. Website owners are advised to patch the vulnerability by upgrading to the latest version of the Bootstrap Ultimate theme.",Wordpress,Bootstrap Ultimate,9.8,CRITICAL,0.000910000002477318,false,,false,false,false,,false,false,false,,2025-01-24T08:23:41.200Z,0
CVE-2024-13234,https://securityvulnerability.io/vulnerability/CVE-2024-13234,SQL Injection in Product Table Plugin for WordPress by WBW,"The Product Table by WBW plugin for WordPress is susceptible to SQL Injection through the 'additionalCondition' parameter. This vulnerability arises from inadequate escaping of user-supplied data, along with poor preparation of the existing SQL query. Consequently, malicious actors can execute unauthorized SQL commands, potentially extracting sensitive information from the database, thereby compromising the security and integrity of affected WordPress installations.",Wordpress,Product Table By Wbw,9.8,CRITICAL,0.0008699999889358878,false,,false,false,false,,false,false,false,,2025-01-23T11:13:27.688Z,0
CVE-2024-13593,https://securityvulnerability.io/vulnerability/CVE-2024-13593,Local File Inclusion Vulnerability in BMLT Meeting Map Plugin for WordPress,"The BMLT Meeting Map plugin for WordPress is susceptible to Local File Inclusion (LFI) vulnerabilities, which impact all versions up to and including 2.6.0. This vulnerability allows authenticated attackers with Contributor-level access or higher to exploit the 'bmlt_meeting_map' shortcode. By including arbitrary files from the server, attackers can execute potentially malicious PHP code, bypassing access controls. This could lead to unauthorized data access, data leakage, or code execution via uploaded files that are deemed 'safe', such as images. Users of the affected plugin are strongly advised to upgrade to the latest version to mitigate this risk.",Wordpress,Bmlt Meeting Map,8.8,HIGH,0.0005600000149570405,false,,false,false,false,,false,false,false,,2025-01-23T09:21:09.348Z,0
CVE-2025-23931,https://securityvulnerability.io/vulnerability/CVE-2025-23931,SQL Injection Vulnerability in NotFound Local SEO Plugin for WordPress,"A vulnerability exists in the NotFound WordPress Local SEO plugin allowing for Blind SQL Injection. This flaw can enable attackers to manipulate SQL queries executed by the application. If exploited, it can lead to unauthorized data access and potential compromise of sensitive information. Users are urged to update to the latest version and implement security measures to safeguard their websites.",Wordpress,WordPress Local Seo,9.3,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-22T14:29:23.719Z,0
CVE-2025-23867,https://securityvulnerability.io/vulnerability/CVE-2025-23867,Reflected Cross-Site Scripting in NotFound WordPress File Search Plugin,"A vulnerability exists in the NotFound WordPress File Search plugin that allows attackers to execute reflected cross-site scripting (XSS) attacks. This issue arises from improper input handling during web page generation, enabling malicious users to inject and execute arbitrary scripts in the context of users' browsers. Affected versions range from n/a to 1.2, making it essential for website administrators to ensure their plugins are updated and secure to protect against potential exploits. Regularly auditing and patching vulnerabilities is critical in maintaining web security.",Wordpress,WordPress File Search,7.1,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-22T14:29:22.848Z,0
CVE-2025-23535,https://securityvulnerability.io/vulnerability/CVE-2025-23535,Cross-Site Scripting Vulnerability in REAL WordPress Sidebar Plugin by ClickandSell,"The REAL WordPress Sidebar by ClickandSell contains a vulnerability that allows for the improper neutralization of input during web page generation, leading to a Stored Cross-Site Scripting (XSS) issue. This vulnerability can be exploited by attackers to inject malicious scripts into web pages viewed by other users, potentially compromising user data and site integrity. It is crucial to ensure that your version of the plugin is updated to prevent any security breaches associated with this vulnerability.",Wordpress,Real WordPress Sidebar,7.1,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,false,,2025-01-22T14:29:14.261Z,0
CVE-2024-13499,https://securityvulnerability.io/vulnerability/CVE-2024-13499,Arbitrary Shortcode Execution in GamiPress Plugin for WordPress,"The GamiPress plugin, used for gamifying WordPress sites by rewarding users with points, achievements, badges, and ranks, has a critical vulnerability that allows for arbitrary shortcode execution. This issue arises from the gamipress_do_shortcode() function, which fails to adequately validate input. As a result, unauthenticated attackers can exploit this vulnerability to execute arbitrary shortcodes, potentially leading to unauthorized actions on affected WordPress sites. All versions of GamiPress up to and including 7.2.1 are impacted, necessitating immediate attention and remediation from site administrators.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,false,,2025-01-22T11:15:00.000Z,0
CVE-2024-13496,https://securityvulnerability.io/vulnerability/CVE-2024-13496,Time-Based SQL Injection Vulnerability in GamiPress Plugin for WordPress,"The GamiPress plugin, designed for gamification in WordPress to manage points and achievements, contains a vulnerability that allows unauthenticated attackers to exploit time-based SQL Injection via the 'orderby' parameter. This issue arises from improper escaping of user-supplied inputs and inadequate preparation of SQL queries, enabling attackers to inject additional SQL commands into existing queries. If exploited, this could allow unauthorized users to extract sensitive information stored in the database, posing a significant risk to WordPress site security.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.5,HIGH,0.0006000000284984708,false,,false,false,false,,false,false,false,,2025-01-22T11:15:00.000Z,0
CVE-2024-13495,https://securityvulnerability.io/vulnerability/CVE-2024-13495,Arbitrary Shortcode Execution in GamiPress by GamiPress,"The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,,false,false,false,,2025-01-22T11:15:00.000Z,0