cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2025-24652,https://securityvulnerability.io/vulnerability/CVE-2025-24652,Missing Authorization Flaw in Revmakx WP Duplicate Plugin by WordPress,"The Revmakx WP Duplicate plugin for WordPress is susceptible to a missing authorization vulnerability, which allows attackers to exploit improperly configured access controls. This issue can lead to unauthorized access and actions within the plugin, potentially affecting sensitive data and site integrity. The vulnerability is present in WP Duplicate Plugin versions up to 1.1.6, making it crucial for users to evaluate their settings and apply necessary updates.",Wordpress,WP Duplicate – WordPress Migration Plugin,5.4,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-24T17:24:38.393Z,0
CVE-2024-13495,https://securityvulnerability.io/vulnerability/CVE-2024-13495,Arbitrary Shortcode Execution in GamiPress by GamiPress,"The GamiPress plugin, designed for gamification in WordPress, is susceptible to arbitrary shortcode execution due to inadequate validation in the gamipress_ajax_get_logs() function. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to unauthorized actions or compromises within the WordPress environment. All versions up to and including 7.2.1 are affected, emphasizing the need for users to ensure they are running the latest, secure versions to mitigate this risk.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13499,https://securityvulnerability.io/vulnerability/CVE-2024-13499,Arbitrary Shortcode Execution in GamiPress Plugin for WordPress,"The GamiPress plugin, used for gamifying WordPress sites by rewarding users with points, achievements, badges, and ranks, has a critical vulnerability that allows for arbitrary shortcode execution. This issue arises from the gamipress_do_shortcode() function, which fails to adequately validate input. As a result, unauthenticated attackers can exploit this vulnerability to execute arbitrary shortcodes, potentially leading to unauthorized actions on affected WordPress sites. All versions of GamiPress up to and including 7.2.1 are impacted, necessitating immediate attention and remediation from site administrators.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.3,HIGH,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2024-13496,https://securityvulnerability.io/vulnerability/CVE-2024-13496,Time-Based SQL Injection Vulnerability in GamiPress Plugin for WordPress,"The GamiPress plugin, designed for gamification in WordPress to manage points and achievements, contains a vulnerability that allows unauthenticated attackers to exploit time-based SQL Injection via the 'orderby' parameter. This issue arises from improper escaping of user-supplied inputs and inadequate preparation of SQL queries, enabling attackers to inject additional SQL commands into existing queries. If exploited, this could allow unauthorized users to extract sensitive information stored in the database, posing a significant risk to WordPress site security.",Wordpress,"Gamipress – Gamification Plugin To Reward Points, Achievements, Badges & Ranks In WordPress",7.5,HIGH,0.0006000000284984708,false,,false,false,false,false,false,false,2025-01-22T11:15:00.000Z,0
CVE-2025-22735,https://securityvulnerability.io/vulnerability/CVE-2025-22735,Reflected XSS Vulnerability in TaxoPress WordPress Tag Cloud Plugin,"The TaxoPress WordPress Tag Cloud Plugin – Tag Groups suffers from a reflected XSS vulnerability due to improper input neutralization during web page generation. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and enabling unauthorized actions. This vulnerability affects users of the plugin across various versions up to 2.0.4, posing a significant risk to the security of websites utilizing the plugin.",Wordpress,WordPress Tag Cloud Plugin – Tag Groups,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:35.161Z,0
CVE-2024-49333,https://securityvulnerability.io/vulnerability/CVE-2024-49333,SQL Injection Vulnerability in NotFound Hero Mega Menu Plugin for WordPress,"The NotFound Hero Mega Menu - Responsive WordPress Menu Plugin exhibits a vulnerability that allows for SQL Injection, enabling attackers to manipulate queries executed by the database. This flaw can expose sensitive information and lead to unauthorized actions. The vulnerability impacts versions from n/a to 1.16.5, highlighting the importance of updating to mitigate possible exploitation. Website administrators using this plugin should review their systems and apply necessary patches to defend against potential SQL injection attacks.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,8.5,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.700Z,0
CVE-2024-49303,https://securityvulnerability.io/vulnerability/CVE-2024-49303,SQL Injection Vulnerability in Hero Mega Menu Plugin for WordPress,"The Hero Mega Menu - Responsive WordPress Menu Plugin is susceptible to an SQL Injection vulnerability, enabling attackers to manipulate database queries. This flaw may allow unauthorized access to sensitive information or unauthorized modifications in the affected plugin versions up to 1.16.5. It is crucial for users to update to a patched version to safeguard their WordPress environments from potential exploitation.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,8.5,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.562Z,0
CVE-2024-49300,https://securityvulnerability.io/vulnerability/CVE-2024-49300,Cross-site Scripting Vulnerability in Hero Mega Menu Plugin for WordPress,"A Reflected XSS vulnerability exists in the Hero Mega Menu - Responsive WordPress Menu Plugin, which allows attackers to execute arbitrary scripts in the context of the user's browser. This issue affects all versions up to 1.16.5, enabling unauthorized access to sensitive information and potential account compromise when exploited.",Wordpress,Hero Mega Menu - Responsive WordPress Menu Plugin,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-21T13:40:32.331Z,0
CVE-2024-10799,https://securityvulnerability.io/vulnerability/CVE-2024-10799,Directory Traversal Vulnerability in Eventer Plugin for WordPress,"The Eventer plugin for WordPress is susceptible to a Directory Traversal vulnerability affecting all versions up to and including 3.9.7. This issue arises through the eventer_woo_download_tickets() function, allowing authenticated users with at least Subscriber-level access to exploit it. An attacker can potentially access and read the content of arbitrary files on the server, which could contain sensitive data and lead to further exploitation of the web application. Website administrators are advised to review affected systems and apply patches or updates where applicable.",Wordpress,Eventer - WordPress Event & Booking Manager Plugin,6.5,MEDIUM,0.0005000000237487257,false,,false,false,false,false,false,false,2025-01-17T05:29:27.786Z,0
CVE-2024-13333,https://securityvulnerability.io/vulnerability/CVE-2024-13333,Arbitrary File Upload Vulnerability in Advanced File Manager for WordPress,"The Advanced File Manager plugin for WordPress is susceptible to an arbitrary file upload vulnerability caused by inadequate file type validation in its 'fma_local_file_system' function. This issue affects versions 5.2.12 and 5.2.13 and can be leveraged by authenticated users with Subscriber-level permissions or higher, provided they've been granted upload rights by an administrator. The vulnerability can be exploited if the 'Display .htaccess?' setting is enabled, allowing attackers to upload malicious files that may facilitate remote code execution on the affected site's server.",Wordpress,Advanced File Manager — Ultimate WordPress File Manager And Document Library Plugin,7.5,HIGH,0.0005600000149570405,false,,false,false,false,false,false,false,2025-01-17T05:29:27.068Z,0
CVE-2025-23842,https://securityvulnerability.io/vulnerability/CVE-2025-23842,Cross-Site Request Forgery Vulnerability in Nilesh Shiragave WordPress Gallery Plugin,"A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the WordPress Gallery Plugin by Nilesh Shiragave. This flaw could allow an attacker to trick users into executing unwanted actions on a web application where they are authenticated, potentially leading to unauthorized content manipulation or data exposure. The affected versions range from an unspecified release before version 1.4, necessitating immediate attention to mitigate any security risks associated with this vulnerability.",Wordpress,WordPress Gallery Plugin,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-16T20:07:21.537Z,0
CVE-2025-23435,https://securityvulnerability.io/vulnerability/CVE-2025-23435,Cross-Site Request Forgery Discovered in Password Protect Plugin for WordPress,"The David Marcucci Password Protect Plugin for WordPress has a Cross-Site Request Forgery (CSRF) vulnerability that can lead to stored XSS. This issue affects versions from n/a up to and including 0.8.1.0. Attackers may exploit this vulnerability to perform unauthorized actions on behalf of an authenticated user, potentially compromising user data and site integrity. Users are advised to update their plugins promptly to mitigate the risks associated with this vulnerability.",Wordpress,Password Protect Plugin For WordPress,7.1,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-16T20:06:06.877Z,0
CVE-2025-22762,https://securityvulnerability.io/vulnerability/CVE-2025-22762,Stored Cross-site Scripting Vulnerability in Octrace Studio WordPress HelpDesk Plugin,"A security flaw exists in the Octrace Studio WordPress HelpDesk & Support Ticket System Plugin that allows for stored Cross-site Scripting (XSS) attacks. The vulnerability can be exploited by malicious actors to inject harmful scripts into web pages, potentially affecting users who access these pages through vulnerable installations. The affected versions include all prior to 1.2.7, making it crucial for users to update to the latest version to mitigate risks associated with this vulnerability.",Wordpress,WordPress Helpdesk & Support Ticket System Plugin – Octrace Support,5.9,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-15T15:23:23.912Z,0
CVE-2024-12412,https://securityvulnerability.io/vulnerability/CVE-2024-12412,Stored Cross-Site Scripting Vulnerability in WpRently Plugin for WooCommerce by WordPress,"The WpRently plugin for WordPress, used for managing rentals and bookings with WooCommerce integration, is susceptible to a Stored Cross-Site Scripting vulnerability. This issue arises from insufficient input sanitization and output escaping related to the 'active_tab' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages, which will execute when users access these compromised pages. This can lead to unauthorized access and manipulation of user data, highlighting the urgent need for addressing this security flaw in all versions up to and including 2.2.1.",Wordpress,"Rental And Booking Manager For Bike, Car, Dress, Resort With WooCommerce Integration – WPrently | WordPress Plugin",6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-11T07:21:53.135Z,0
CVE-2024-12606,https://securityvulnerability.io/vulnerability/CVE-2024-12606,Data Modification Vulnerability in AI Scribe SEO Plugin by WordPress,"The AI Scribe plugin for WordPress is susceptible to unauthorized data modification due to a missing capability check in the engine_request_data() function. This vulnerability affects all versions, including and up to version 2.3, allowing authenticated users with Subscriber-level access and higher to alter plugin settings. Administrators should ensure their installations are updated to mitigate this risk and protect the integrity of the plugin's functionalities.",Wordpress,"Ai Scribe – Seo Ai Writer, Content Generator, Humanizer, Blog Writer, Seo Optimizer, Dalle-3, Ai WordPress Plugin Chatgpt (gpt-4o 128k)",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-10T04:15:00.000Z,0
CVE-2024-12473,https://securityvulnerability.io/vulnerability/CVE-2024-12473,SQL Injection Vulnerability in AI Scribe Plugin for WordPress,"The AI Scribe – SEO AI Writer plugin for WordPress is susceptible to SQL Injection through the 'template_id' parameter in the 'article_builder_generate_data' shortcode. This vulnerability arises from inadequate parameter escaping and insufficient preparation of the existing SQL query. Authenticated attackers with Contributor-level access or higher can exploit this flaw to insert and execute additional SQL queries, potentially allowing them to retrieve sensitive information from the database.",Wordpress,"Ai Scribe – Seo Ai Writer, Content Generator, Humanizer, Blog Writer, Seo Optimizer, Dalle-3, Ai WordPress Plugin Chatgpt (gpt-4o 128k)",6.5,MEDIUM,0.0004900000058114529,false,,false,false,false,false,false,false,2025-01-10T04:15:00.000Z,0
CVE-2024-12616,https://securityvulnerability.io/vulnerability/CVE-2024-12616,Unauthorized Data Modification in Bitly Plugin for WordPress,"The Bitly's WordPress Plugin is susceptible to unauthorized modification of settings due to a lack of proper capability checks on several AJAX actions. This vulnerability affects all versions up to and including 2.7.3, enabling authenticated attackers—specifically those with Subscriber-level access or higher—to manipulate plugin settings without appropriate permissions, thus posing risks to data integrity and security.",Wordpress,Bitly&#039;s WordPress Plugin,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-09T11:11:03.339Z,0
CVE-2024-11929,https://securityvulnerability.io/vulnerability/CVE-2024-11929,Stored Cross-Site Scripting in Responsive FlipBook Plugin for WordPress,"The Responsive FlipBook Plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the rfbwp_save_settings() function. This vulnerability affects all versions up to and including 2.5.0, allowing authenticated users with Subscriber-level access or higher to inject arbitrary web scripts into web pages. Such scripts can execute whenever a user accesses the compromised page, potentially leading to unauthorized actions or data exposure.",Wordpress,Responsive Flipbook Plugin WordPress,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-09T11:10:58.270Z,0
CVE-2024-12605,https://securityvulnerability.io/vulnerability/CVE-2024-12605,Cross-Site Request Forgery Vulnerability in AI Scribe WordPress Plugin,"The AI Scribe plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation on critical actions. This vulnerability allows an attacker to exploit the flaw by deceiving site administrators into initiating a malicious request, thereby changing plugin settings without authentication. The affected versions, including all up to 2.3, lack sufficient verification mechanisms, making it imperative for users to update to secure their installations.",Wordpress,"Ai Scribe – Seo Ai Writer, Content Generator, Humanizer, Blog Writer, Seo Optimizer, Dalle-3, Ai WordPress Plugin Chatgpt (gpt-4o 128k)",4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-09T11:10:57.897Z,0
CVE-2024-12206,https://securityvulnerability.io/vulnerability/CVE-2024-12206,Cross-Site Request Forgery Vulnerability in Pearl Header Builder Plugin for WordPress,"The Pearl Header Builder Plugin for WordPress is susceptible to a Cross-Site Request Forgery flaw that affects all versions up to 1.3.8. This vulnerability stems from inadequate nonce validation on the stm_header_builder page. As a result, unauthenticated attackers could potentially delete arbitrary headers by tricking a site administrator into executing a harmful action, such as clicking a malicious link.",Wordpress,WordPress Header Builder Plugin – Pearl,4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-09T11:10:57.161Z,0
CVE-2024-11270,https://securityvulnerability.io/vulnerability/CVE-2024-11270,Arbitrary File Creation Vulnerability in WebinarPress Plugin by WordPress,"The WebinarPress plugin for WordPress is susceptible to an arbitrary file creation flaw that arises from an absent capability check within the 'sync-import-imgs' function and inadequate file type validation across all versions up to and including 1.33.24. This vulnerability enables authenticated attackers with subscriber-level access or higher to generate arbitrary files, potentially resulting in remote code execution.",Wordpress,WordPress Webinar Plugin – Webinarpress,8.8,HIGH,0.0005000000237487257,false,,false,false,false,false,false,false,2025-01-08T04:17:59.763Z,0
CVE-2024-11271,https://securityvulnerability.io/vulnerability/CVE-2024-11271,Data Modification Vulnerability in WebinarPress Plugin for WordPress,"The WebinarPress plugin for WordPress contains a vulnerability that allows authenticated users with subscriber-level access and higher to modify webinar content. This issue arises from a lack of necessary capability checks on key functions, making it possible for attackers to alter data in all plugin versions up to and including 1.33.24. WordPress site administrators are advised to update the plugin to the latest version to mitigate the risk of unauthorized data manipulation.",Wordpress,WordPress Webinar Plugin – Webinarpress,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-08T04:17:58.930Z,0
CVE-2024-12112,https://securityvulnerability.io/vulnerability/CVE-2024-12112,Stored Cross-Site Scripting in Easy Form Builder for WordPress,"The Easy Form Builder plugin for WordPress suffers from a stored cross-site scripting vulnerability due to inadequate input sanitization and output escaping. Attackers with Subscriber-level access or higher can exploit this flaw by injecting malicious scripts through the 'name' parameter of the 'add_form_Emsfb' AJAX action. This can lead to arbitrary web scripts executing on pages viewed by unsuspecting users, posing significant security risks. It is critical for users of the plugin to upgrade to the latest version or apply available patches to protect their sites from potential exploitation.",Wordpress,"Easy Form Builder – WordPress Plugin Form Builder: Contact Form, Survey Form, Payment Form, And Custom Form Builder",6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-08T03:18:11.056Z,0
CVE-2025-22349,https://securityvulnerability.io/vulnerability/CVE-2025-22349,SQL Injection Vulnerability in WordPress Auction Plugin by Owen Cutajar & Hyder Jaffari,"The WordPress Auction Plugin, developed by Owen Cutajar and Hyder Jaffari, is susceptible to SQL Injection attacks due to inadequate neutralization of special elements within SQL commands. This vulnerability allows attackers to manipulate SQL queries, potentially compromising the security of the database. Versions from n/a up to 3.7 are affected, posing significant risks to users employing the plugin. It is essential for site administrators to review and mitigate this vulnerability to protect against unauthorized data access and exploitation.",Wordpress,WordPress Auction Plugin,7.6,HIGH,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-07T10:48:40.702Z,0
CVE-2024-8857,https://securityvulnerability.io/vulnerability/CVE-2024-8857,Stored Cross-Site Scripting Vulnerability in Auction Plugin for WordPress,"The Auction Plugin for WordPress versions up to 3.7 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate sanitization and escaping of certain settings. This issue poses a risk by enabling users with high privileges, such as editors, to inject malicious scripts that could be executed in the browsers of visitors. Appropriate measures should be taken to secure the plugin and prevent potential attacks.",Wordpress,WordPress Auction Plugin,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-07T06:00:05.825Z,0