cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2025-24652,https://securityvulnerability.io/vulnerability/CVE-2025-24652,Missing Authorization Flaw in Revmakx WP Duplicate Plugin by WordPress,"The Revmakx WP Duplicate plugin for WordPress is susceptible to a missing authorization vulnerability, which allows attackers to exploit improperly configured access controls. This issue can lead to unauthorized access and actions within the plugin, potentially affecting sensitive data and site integrity. The vulnerability is present in WP Duplicate Plugin versions up to 1.1.6, making it crucial for users to evaluate their settings and apply necessary updates.",Wordpress,WP Duplicate – WordPress Migration Plugin,5.4,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-24T17:24:38.393Z,0
CVE-2024-13499,https://securityvulnerability.io/vulnerability/CVE-2024-13499,Arbitrary Shortcode Execution in GamiPress Plugin for WordPress,"The GamiPress plugin, used for gamifying WordPress sites by rewarding users with points, achievements, badges, and ranks, has a critical vulnerability that allows for arbitrary shortcode execution. This issue arises from the gamipress_do_shortcode() function, which fails to adequately validate input. As a result, unauthenticated attackers can exploit this vulnerability to execute arbitrary shortcodes, potentially leading to unauthorized actions on affected WordPress sites. All versions of GamiPress up to and including 7.2.1 are impacted, necessitating immediate attention and remediation from site administrators.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13495,https://securityvulnerability.io/vulnerability/CVE-2024-13495,Arbitrary Shortcode Execution in GamiPress by GamiPress,"The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13496,https://securityvulnerability.io/vulnerability/CVE-2024-13496,Time-Based SQL Injection Vulnerability in GamiPress Plugin for WordPress,"The GamiPress plugin, designed for gamification in WordPress to manage points and achievements, contains a vulnerability that allows unauthenticated attackers to exploit time-based SQL Injection via the 'orderby' parameter. This issue arises from improper escaping of user-supplied inputs and inadequate preparation of SQL queries, enabling attackers to inject additional SQL commands into existing queries. If exploited, this could allow unauthorized users to extract sensitive information stored in the database, posing a significant risk to WordPress site security.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.5,HIGH,0.0006000000284984708,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2025-22735,https://securityvulnerability.io/vulnerability/CVE-2025-22735,Reflected XSS Vulnerability in TaxoPress WordPress Tag Cloud Plugin,"The TaxoPress WordPress Tag Cloud Plugin – Tag Groups suffers from a reflected XSS vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and enabling unauthorized actions. This vulnerability affects users of the plugin across various versions up to 2.0.4, posing a significant risk to the security of websites utilizing the plugin.",Wordpress,WordPress Tag Cloud Plugin – Tag Groups,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:35.161Z,0
CVE-2024-49333,https://securityvulnerability.io/vulnerability/CVE-2024-49333,SQL Injection Vulnerability in NotFound Hero Mega Menu Plugin for WordPress,"The NotFound Hero Mega Menu - Responsive WordPress Menu Plugin exhibits a vulnerability that allows for SQL Injection, enabling attackers to manipulate queries executed by the database. This flaw can expose sensitive information and lead to unauthorized actions. The vulnerability impacts versions from n/a to 1.16.5, highlighting the importance of updating to mitigate possible exploitation. Website administrators using this plugin should review their systems and apply necessary patches to defend against potential SQL injection attacks.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,8.5,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.700Z,0
CVE-2024-49303,https://securityvulnerability.io/vulnerability/CVE-2024-49303,SQL Injection Vulnerability in Hero Mega Menu Plugin for WordPress,"The Hero Mega Menu - Responsive WordPress Menu Plugin is susceptible to an SQL Injection vulnerability, enabling attackers to manipulate database queries. This flaw may allow unauthorized access to sensitive information or unauthorized modifications in the affected plugin versions up to 1.16.5. It is crucial for users to update to a patched version to safeguard their WordPress environments from potential exploitation.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,8.5,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.562Z,0
CVE-2024-49300,https://securityvulnerability.io/vulnerability/CVE-2024-49300,Cross-site Scripting Vulnerability in Hero Mega Menu Plugin for WordPress,"A Reflected XSS vulnerability exists in the Hero Mega Menu - Responsive WordPress Menu Plugin, which allows attackers to execute arbitrary scripts in the context of the user's browser. This issue affects all versions up to 1.16.5, enabling unauthorized access to sensitive information and potential account compromise when exploited.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.331Z,0
CVE-2024-13230,https://securityvulnerability.io/vulnerability/CVE-2024-13230,SQL Injection Vulnerability in Super Socializer Plugin for WordPress,"The Super Socializer Plugin for WordPress is susceptible to a SQL Injection vulnerability through the 'SuperSocializerKey' parameter. This weakness arises from improper escaping of user-supplied input and inadequate SQL query preparation, allowing unauthenticated attackers to manipulate the SQL query. As a result, attackers could potentially gain unauthorized access to sensitive user metadata stored in the database. It is crucial for users to update their plugin to the latest version to mitigate this risk.",Wordpress,"Social Share, Social Login And Social Comments Plugin – Super Socializer",5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-21T11:09:46.347Z,0
CVE-2025-0308,https://securityvulnerability.io/vulnerability/CVE-2025-0308,SQL Injection Vulnerability in Ultimate Member Plugin for WordPress,"The Ultimate Member plugin for WordPress, versions up to and including 2.9.1, is susceptible to a time-based SQL injection vulnerability. This issue arises due to inadequate escaping of user-supplied input in search parameters, allowing unauthorized attackers to inject additional SQL queries into existing ones. Successful exploitation can lead to the unauthorized extraction of sensitive data from the database, posing a significant risk to user information and overall site security.",Wordpress,"Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin",7.5,HIGH,0.0008699999889358878,false,,false,false,false,false,false,false,2025-01-18T05:33:50.432Z,0
CVE-2025-0318,https://securityvulnerability.io/vulnerability/CVE-2025-0318,Information Exposure in Ultimate Member Plugin for WordPress,"The Ultimate Member plugin, which facilitates user profile management and membership capabilities on WordPress, is susceptible to a vulnerability that allows unauthorized attackers to extract sensitive information from the wp_usermeta table. This vulnerability arises from misconfigured error messages that leak information through their responses, potentially compromising user data. All versions up to and including 2.9.1 are affected, underscoring the importance of timely updates to safeguard against data breaches.",Wordpress,"Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin",5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-18T05:33:49.324Z,0
CVE-2024-13386,https://securityvulnerability.io/vulnerability/CVE-2024-13386,Stored Cross-Site Scripting Vulnerability in Quote Post Type Plugin by WordPress,"The Quote Post Type Plugin for WordPress has a vulnerability characterized by Stored Cross-Site Scripting. This occurs through the Author field due to inadequate sanitization of user inputs and failure to properly escape outputs. Authenticated attackers with Contributor-level access or higher can exploit this flaw by injecting malicious web scripts into pages, leading to potential execution of these scripts whenever a user accesses the compromised page. All versions of the plugin up to and including 1.2.2 are affected.",Wordpress,Quote-posttype-plugin,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-17T07:01:27.447Z,0
CVE-2024-10799,https://securityvulnerability.io/vulnerability/CVE-2024-10799,Directory Traversal Vulnerability in Eventer Plugin for WordPress,"The Eventer plugin for WordPress is susceptible to a Directory Traversal vulnerability affecting all versions up to and including 3.9.7. This issue arises through the eventer_woo_download_tickets() function, allowing authenticated users with at least Subscriber-level access to exploit it. An attacker can potentially access and read the content of arbitrary files on the server, which could contain sensitive data and lead to further exploitation of the web application. Website administrators are advised to review affected systems and apply patches or updates where applicable.",Wordpress,Eventer - WordPress Event & Booking Manager Plugin,6.5,MEDIUM,0.0005000000237487257,false,,false,false,false,false,false,false,2025-01-17T05:29:27.786Z,0
CVE-2024-13333,https://securityvulnerability.io/vulnerability/CVE-2024-13333,Arbitrary File Upload Vulnerability in Advanced File Manager for WordPress,"The Advanced File Manager plugin for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file type validation in its 'fma_local_file_system' function. This issue affects versions 5.2.12 and 5.2.13 and can be leveraged by authenticated users with Subscriber-level permissions or higher, provided they've been granted upload rights by an administrator. The vulnerability can be exploited if the 'Display .htaccess?' setting is enabled, allowing attackers to upload malicious files that may facilitate remote code execution on the affected site's server.",Wordpress,Advanced File Manager — Ultimate WordPress File Manager And Document Library Plugin,7.5,HIGH,0.0005600000149570405,false,,false,false,false,false,false,false,2025-01-17T05:29:27.068Z,0
CVE-2025-23842,https://securityvulnerability.io/vulnerability/CVE-2025-23842,Cross-Site Request Forgery Vulnerability in Nilesh Shiragave WordPress Gallery Plugin,"A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Gallery Plugin by Nilesh Shiragave. This flaw could allow an attacker to trick users into executing unwanted actions on a web application where they are authenticated, potentially leading to unauthorized content manipulation or data exposure. The affected versions range from an unspecified release before version 1.4, necessitating immediate attention to mitigate any security risks associated with this vulnerability.",Wordpress,WordPress Gallery Plugin,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-16T20:07:21.537Z,0
CVE-2025-23435,https://securityvulnerability.io/vulnerability/CVE-2025-23435,Cross-Site Request Forgery Discovered in Password Protect Plugin for WordPress,"The David Marcucci Password Protect Plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability that can lead to stored XSS. This issue affects versions from n/a up to and including 0.8.1.0. Attackers may exploit this vulnerability to perform unauthorized actions on behalf of an authenticated user, potentially compromising user data and site integrity. Users are advised to update their plugins promptly to mitigate the risks associated with this vulnerability.",Wordpress,Password Protect Plugin For WordPress,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-16T20:06:06.877Z,0
CVE-2025-0215,https://securityvulnerability.io/vulnerability/CVE-2025-0215,Reflected Cross-Site Scripting Vulnerability in UpdraftPlus Backup Plugin for WordPress,"The UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to reflected cross-site scripting due to inadequate input sanitization and output escaping. Specifically, the safety of the showdata and initiate_restore parameters is compromised across all versions up to and including 1.24.12. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into webpages. These scripts could be executed if an admin user is lured into clicking a malicious link, potentially leading to unauthorized actions and data breaches.",Wordpress,Updraftplus: WP Backup & Migration Plugin,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-15T22:23:32.852Z,0
CVE-2025-22762,https://securityvulnerability.io/vulnerability/CVE-2025-22762,Stored Cross-site Scripting Vulnerability in Octrace Studio WordPress HelpDesk Plugin,"A security flaw exists in the Octrace Studio WordPress HelpDesk & Support Ticket System Plugin that allows for stored Cross-site Scripting (XSS) attacks. The vulnerability can be exploited by malicious actors to inject harmful scripts into web pages, potentially affecting users who access these pages through vulnerable installations. The affected versions include all prior to 1.2.7, making it crucial for users to update to the latest version to mitigate risks associated with this vulnerability.",Wordpress,WordPress Helpdesk & Support Ticket System Plugin – Octrace Support,5.9,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-15T15:23:23.912Z,0
CVE-2024-13156,https://securityvulnerability.io/vulnerability/CVE-2024-13156,DOM-Based Stored Cross-Site Scripting in HTML5 Video Player for WordPress,"The HTML5 Video Player plugin for WordPress is susceptible to DOM-Based Stored Cross-Site Scripting due to inadequate input sanitization and output escaping. Attackers with Contributor-level access or higher can exploit this vulnerability through the 'heading' parameter. By manipulating this parameter, they can inject harmful web scripts that execute whenever a user visits the compromised page, posing security risks to site users and potentially compromising their data.",Wordpress,Html5 Video Player – Mp4 Video Player Plugin And Block,6.4,MEDIUM,0.0006799999973736703,false,,false,false,false,false,false,false,2025-01-14T08:23:14.833Z,0
CVE-2024-12274,https://securityvulnerability.io/vulnerability/CVE-2024-12274,Data Exposure Vulnerability in Appointment Booking Calendar Plugin for WordPress,"The Appointment Booking Calendar Plugin and Scheduling Plugin for WordPress prior to version 1.1.23 contains a vulnerability in its export settings functionality. This issue allows unauthenticated attackers to gain access to data exported to a publicly accessible folder, where the filenames are easily guessable. As a result, sensitive information may be exposed, which poses a risk to users' privacy and security. It is crucial for website administrators utilizing these plugins to upgrade to the latest version to mitigate the risk of potential data breaches.",Wordpress,Appointment Booking Calendar Plugin And Scheduling Plugin,7.5,HIGH,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-13T06:00:01.193Z,0
CVE-2024-12877,https://securityvulnerability.io/vulnerability/CVE-2024-12877,PHP Object Injection Vulnerability in GiveWP Donation Plugin for WordPress,"The GiveWP Donation Plugin for WordPress is susceptible to PHP Object Injection due to improper handling of untrusted input from the donation form, such as the 'firstName' field. This vulnerability affects all versions up to and including 3.19.2 and allows unauthenticated attackers to inject malicious PHP objects. The presence of a Property-Oriented Programming (POP) chain could enable these attackers to execute remote code and potentially delete arbitrary files on the server. While version 3.19.3 attempted a patch, it was not fully effective, and a comprehensive solution was only provided in version 3.19.4. It is strongly recommended that the vendor implement JSON encoding to mitigate the risk of deserialization vulnerabilities in the future.",Wordpress,GiveWP – Donation Plugin And Fundraising Platform,9.8,CRITICAL,0.0007099999929778278,false,,false,false,false,false,false,false,2025-01-11T07:21:53.510Z,0
CVE-2024-12412,https://securityvulnerability.io/vulnerability/CVE-2024-12412,Stored Cross-Site Scripting Vulnerability in WpRently Plugin for WooCommerce by WordPress,"The WpRently plugin for WordPress, used for managing rentals and bookings with WooCommerce integration, is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from insufficient input sanitization and output escaping related to the 'active_tab' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages, which will execute when users access these compromised pages. This can lead to unauthorized access and manipulation of user data, highlighting the urgent need for addressing this security flaw in all versions up to and including 2.2.1.",Wordpress,"Rental And Booking Manager For Bike, Car, Dress, Resort With WooCommerce Integration – WPrently | WordPress Plugin",6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-11T07:21:53.135Z,0
CVE-2024-12473,https://securityvulnerability.io/vulnerability/CVE-2024-12473,SQL Injection Vulnerability in AI Scribe Plugin for WordPress,"The AI Scribe – SEO AI Writer plugin for WordPress is susceptible to SQL Injection through the 'template_id' parameter in the 'article_builder_generate_data' shortcode. This vulnerability arises from inadequate parameter escaping and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can exploit this flaw to insert and execute additional SQL queries, potentially allowing them to retrieve sensitive information from the database.",Wordpress,"Ai Scribe – Seo Ai Writer, Content Generator, Humanizer, Blog Writer, Seo Optimizer, Dalle-3, Ai WordPress Plugin Chatgpt (gpt-4o 128k)",6.5,MEDIUM,0.0004900000058114529,false,,false,false,false,false,false,false,2025-01-10T04:15:00.000Z,0
CVE-2024-12606,https://securityvulnerability.io/vulnerability/CVE-2024-12606,Data Modification Vulnerability in AI Scribe SEO Plugin by WordPress,"The AI Scribe plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check in the engine_request_data() function. This vulnerability affects all versions, including and up to version 2.3, allowing authenticated users with Subscriber-level access and higher to alter plugin settings. Administrators should ensure their installations are updated to mitigate this risk and protect the integrity of the plugin's functionalities.",Wordpress,"Ai Scribe – Seo Ai Writer, Content Generator, Humanizer, Blog Writer, Seo Optimizer, Dalle-3, Ai WordPress Plugin Chatgpt (gpt-4o 128k)",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-10T04:15:00.000Z,0
CVE-2024-12616,https://securityvulnerability.io/vulnerability/CVE-2024-12616,Unauthorized Data Modification in Bitly Plugin for WordPress,"The Bitly's WordPress Plugin is susceptible to unauthorized modification of settings due to a lack of proper capability checks on several AJAX actions. This vulnerability affects all versions up to and including 2.7.3, enabling authenticated attackers—specifically those with Subscriber-level access or higher—to manipulate plugin settings without appropriate permissions, thus posing risks to data integrity and security.",Wordpress,Bitly&#039;s WordPress Plugin,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-09T11:11:03.339Z,0