cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-13095,https://securityvulnerability.io/vulnerability/CVE-2024-13095,SQL Injection Vulnerability in WP Triggers Lite Plugin by WordPress,"The WP Triggers Lite plugin for WordPress, specifically versions up to 2.5.3, has a vulnerability where it fails to properly sanitize and escape input parameters used in SQL queries. This oversight can allow attackers, especially those with administrative privileges, to execute SQL injection attacks, potentially compromising the database and revealing sensitive information. It is crucial for users of this plugin to update to the latest version or implement necessary security measures to mitigate this risk.",WordPress,WP Triggers Lite,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-27T06:00:11.280Z,0
CVE-2024-13094,https://securityvulnerability.io/vulnerability/CVE-2024-13094,Reflected Cross-Site Scripting Vulnerability in WP Triggers Lite by WordPress,"A reflected cross-site scripting vulnerability has been identified in the WP Triggers Lite WordPress plugin, specifically in version 2.5.3. The plugin does not adequately sanitize and escape a certain parameter before rendering it on the page. This oversight opens the door for attackers to inject malicious scripts, particularly targeting high privilege users such as administrators. If exploited, this vulnerability could allow unauthorized access and manipulation of sensitive data within the affected applications.",WordPress,WP Triggers Lite,7.1,HIGH,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-27T06:00:10.933Z,0
CVE-2024-12436,https://securityvulnerability.io/vulnerability/CVE-2024-12436,Cross-Site Request Forgery Vulnerability in WP Customer Area WordPress Plugin,"The WP Customer Area plugin for WordPress, specifically versions up to 8.2.4, is susceptible to Cross-Site Request Forgery (CSRF) attacks due to the absence of CSRF checks in certain areas. This vulnerability can enable attackers to exploit the logged-in user session, prompting users to execute unintended actions without their consent, thereby compromising the security and integrity of the application.",WordPress,WP Customer Area,4.3,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-27T06:00:06.330Z,0
CVE-2024-12280,https://securityvulnerability.io/vulnerability/CVE-2024-12280,CSRF Vulnerability in WP Customer Area Plugin by WordPress,"The WP Customer Area plugin for WordPress, in versions up to 8.2.4, lacks proper Cross-Site Request Forgery (CSRF) protection during the deletion of logs. This security gap permits attackers to exploit logged-in user sessions to perform unauthorized actions, potentially leading to the removal of sensitive log information without user consent.",WordPress,WP Customer Area,4.3,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-27T06:00:04.043Z,0
CVE-2025-24652,https://securityvulnerability.io/vulnerability/CVE-2025-24652,Missing Authorization Flaw in Revmakx WP Duplicate Plugin by WordPress,"The Revmakx WP Duplicate plugin for WordPress is susceptible to a missing authorization vulnerability, which allows attackers to exploit improperly configured access controls. This issue can lead to unauthorized access and actions within the plugin, potentially affecting sensitive data and site integrity. The vulnerability is present in WP Duplicate Plugin versions up to 1.1.6, making it crucial for users to evaluate their settings and apply necessary updates.",Wordpress,WP Duplicate – WordPress Migration Plugin,5.4,MEDIUM,0.0004299999854993075,false,,false,false,false,false,false,false,2025-01-24T17:24:38.393Z,0
CVE-2024-13426,https://securityvulnerability.io/vulnerability/CVE-2024-13426,SQL Injection Vulnerability in WP-Polls Plugin for WordPress,"The WP-Polls plugin for WordPress contains a vulnerability that enables SQL Injection through COOKIE manipulation. This issue arises from inadequate escaping of user-supplied parameters and poorly prepared SQL queries. Attackers, without needing authentication, can insert additional SQL queries into existing ones. While the results are not visible to the attacker, an appropriately crafted payload may allow for the injection of malicious JavaScript, leading to Stored Cross-Site Scripting risks, thereby compromising the integrity of affected sites.",Wordpress,WP-polls,5.3,MEDIUM,0.0008200000156648457,false,,false,false,false,false,false,false,2025-01-22T02:20:24.893Z,0
CVE-2024-13444,https://securityvulnerability.io/vulnerability/CVE-2024-13444,Cross-Site Request Forgery in wp-greet Plugin for WordPress,"The wp-greet plugin for WordPress exhibits a vulnerability to Cross-Site Request Forgery due to inadequate nonce validation in various functions. This flaw allows unauthenticated attackers to make unauthorized changes to settings if they can deceive an administrator into triggering a forged request, such as clicking on a malicious link. All versions of the plugin up to and including 6.2 are affected, highlighting the importance of proper validation mechanisms to protect against such exploits.",Wordpress,WP-greet,6.1,MEDIUM,0.0005699999746866524,false,,false,false,false,false,false,false,2025-01-21T11:09:47.099Z,0
CVE-2024-12005,https://securityvulnerability.io/vulnerability/CVE-2024-12005,Cross-Site Request Forgery Vulnerability in WP-BibTeX Plugin for WordPress,"The WP-BibTeX plugin for WordPress allows for a Cross-Site Request Forgery due to insufficient nonce validation in the wp_bibtex_option_page() function. This vulnerability enables unauthenticated attackers to execute unauthorized actions by tricking a site administrator into clicking on a malicious link. All versions of the plugin up to and including 3.0.1 are susceptible, emphasizing the need for prompt updates and enhanced security measures.",Wordpress,WP-bibtex,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-21T09:21:09.602Z,0
CVE-2024-8722,https://securityvulnerability.io/vulnerability/CVE-2024-8722,Stored Cross-Site Scripting Vulnerability in WordPress Plugin,"The Import any XML or CSV File to WordPress PRO plugin is susceptible to Stored Cross-Site Scripting through SVG file uploads, due to inadequate input sanitization and output escaping. Authenticated attackers with Administrator access can exploit this vulnerability to inject malicious web scripts into pages, which execute whenever users access the compromised SVG files. This risk underscores the importance of implementing robust security measures and ensuring prompt updates to protect against potential exploits.",Wordpress,WP All Import Pro,5.5,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-19T04:21:13.279Z,0
CVE-2024-13184,https://securityvulnerability.io/vulnerability/CVE-2024-13184,SQL Injection Vulnerability in The Ultimate WordPress Toolkit – WP Extended Plugin,"The Ultimate WordPress Toolkit – WP Extended plugin is susceptible to a time-based SQL injection vulnerability through its Login Attempts module. This issue affects all versions up to and including 3.0.12, stemming from inadequate escaping of user-supplied parameters and insufficient preparation of SQL queries. This flaw allows unauthenticated attackers to merge malicious SQL queries with existing ones, potentially leading to the extraction of sensitive database information.",Wordpress,The Ultimate WordPress Toolkit – WP Extended,7.5,HIGH,0.0006000000284984708,false,,false,false,false,false,false,false,2025-01-18T08:26:39.182Z,0
CVE-2024-12385,https://securityvulnerability.io/vulnerability/CVE-2024-12385,Cross-Site Request Forgery Vulnerability in WP Abstracts Plugin by WordPress,"The WP Abstracts plugin for WordPress is affected by a Cross-Site Request Forgery due to inadequate nonce validation in the wpabstracts_load_status() and wpabstracts_delete_abstracts() functions. This vulnerability allows unauthenticated attackers to execute malicious web scripts by crafting a forged request, potentially tricking site administrators into performing unintended actions. It is crucial for users of the affected versions to upgrade to mitigate the risk of exploitation.",Wordpress,WP Abstracts,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-18T07:05:08.582Z,0
CVE-2024-12370,https://securityvulnerability.io/vulnerability/CVE-2024-12370,Unauthorized Data Modification in WP Hotel Booking Plugin for WordPress,"The WP Hotel Booking plugin for WordPress is susceptible to a security flaw where an absence of proper capability checks permits unauthenticated users to add rooms with arbitrary prices. This vulnerability affects all versions up to and including 2.1.5, potentially leading to unauthorized alterations to the hotel's room inventory, posing significant risks to site administrators and customers alike.",Wordpress,WP Hotel Booking,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-17T08:25:38.307Z,0
CVE-2024-13434,https://securityvulnerability.io/vulnerability/CVE-2024-13434,Reflected Cross-Site Scripting in WP Inventory Manager by WordPress,"The WP Inventory Manager plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the 'message' parameter. This vulnerability arises due to inadequate input sanitization and output escaping, exposing users to the risk of unauthorized script injections. An attacker can exploit this issue by tricking a user into clicking a specially crafted link, leading to the execution of malicious scripts within the user's browser context.",Wordpress,WP Inventory Manager,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-17T04:30:19.689Z,0
CVE-2024-13387,https://securityvulnerability.io/vulnerability/CVE-2024-13387,Stored Cross-Site Scripting Vulnerability in WP Responsive Tabs Plugin by WordPress,"The WP Responsive Tabs plugin for WordPress is impacted by a vulnerability that allows for stored cross-site scripting through the 'wprtabs' shortcode. This issue arises from inadequate input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious web scripts into pages. When users access an affected page, the injected scripts can execute, potentially compromising user data and site integrity. Thus, updating the plugin to the latest version is imperative to safeguard against this vulnerability.",Wordpress,WP Responsive Tabs,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-16T09:39:13.521Z,0
CVE-2024-10789,https://securityvulnerability.io/vulnerability/CVE-2024-10789,Cross-Site Request Forgery in WP User Profile Avatar Plugin for WordPress,"The WP User Profile Avatar plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the wpupa_user_admin() function. This vulnerability allows unauthorized attackers to manipulate plugin settings through crafted requests, potentially deceiving site administrators into unknowingly executing actions that compromise site integrity.",Wordpress,WP User Profile Avatar,4.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-16T03:27:22.549Z,0
CVE-2025-0215,https://securityvulnerability.io/vulnerability/CVE-2025-0215,Reflected Cross-Site Scripting Vulnerability in UpdraftPlus Backup Plugin for WordPress,"The UpdraftPlus: WP Backup & Migration Plugin for WordPress is vulnerable to reflected cross-site scripting due to inadequate input sanitization and output escaping. Specifically, the safety of the showdata and initiate_restore parameters is compromised across all versions up to and including 1.24.12. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into webpages. These scripts could be executed if an admin user is lured into clicking a malicious link, potentially leading to unauthorized actions and data breaches.",Wordpress,Updraftplus: WP Backup & Migration Plugin,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,false,false,false,2025-01-15T22:23:32.852Z,0
CVE-2024-12818,https://securityvulnerability.io/vulnerability/CVE-2024-12818,Stored Cross-Site Scripting Vulnerability in WP Smart TV Plugin by WordPress,"The WP Smart TV plugin for WordPress contains a vulnerability that allows authenticated users with contributor-level access or higher to exploit the 'tv-video-player' shortcode. This vulnerability arises from inadequate input sanitization and output escaping for user-supplied attributes. As a result, attackers can inject malicious web scripts into pages, leading to execution whenever a user views the compromised page. It is crucial for users to upgrade to the latest version or apply necessary fixes to mitigate this risk.",Wordpress,WP Smart Tv,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-15T09:25:55.673Z,0
CVE-2024-13323,https://securityvulnerability.io/vulnerability/CVE-2024-13323,Stored Cross-Site Scripting in WP Booking Calendar Plugin from WordPress,"The WP Booking Calendar plugin for WordPress is susceptible to Stored Cross-Site Scripting attacks, primarily through the 'booking' shortcode. This vulnerability arises from inadequate input sanitization and output escaping on user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious web scripts into pages. Consequently, whenever a user accesses the compromised page, these scripts execute, potentially leading to unauthorized actions and data breaches.",Wordpress,WP Booking Calendar,6.4,MEDIUM,0.0005300000193528831,false,,false,false,false,false,false,false,2025-01-14T05:24:39.032Z,0
CVE-2024-11758,https://securityvulnerability.io/vulnerability/CVE-2024-11758,Stored Cross-Site Scripting in WP SPID Italia Plugin for WordPress,"The WP SPID Italia plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) flaw via its shortcode functionality. This vulnerability exists in all versions up to and including version 2.9 due to inadequate input sanitization and output escaping for user-supplied attributes. Authenticated attackers with contributor-level permissions or higher can exploit this weakness, allowing them to inject arbitrary web scripts into pages. The malicious scripts are executed whenever a user accesses the compromised page, posing a significant security risk to users and the integrity of the site.",Wordpress,WP Spid Italia,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-11T07:21:50.585Z,0
CVE-2024-12304,https://securityvulnerability.io/vulnerability/CVE-2024-12304,Stored Cross-Site Scripting Vulnerability in Gutenberg Blocks with AI by Kadence WP,"The Gutenberg Blocks with AI by Kadence WP Page Builder Features plugin for WordPress is susceptible to a stored cross-site scripting vulnerability. This flaw arises from inadequate input sanitization and output escaping processes in the button block link functionality. Authenticated attackers, holding Contributor-level access or greater, can exploit this vulnerability to inject arbitrary web scripts into web pages. These scripts will execute whenever a user visits the compromised page, potentially leading to unauthorized actions and compromise user information.",Wordpress,Gutenberg Blocks With Ai By Kadence WP – Page Builder Features,6.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-11T03:21:03.438Z,0
CVE-2024-13318,https://securityvulnerability.io/vulnerability/CVE-2024-13318,Unauthorized Access Vulnerability in Essential WP Real Estate Plugin for WordPress,"The Essential WP Real Estate plugin for WordPress presents a security risk due to a missing capability check in the cl_delete_listing_func() function. This vulnerability allows unauthenticated attackers to gain unauthorized access and delete arbitrary pages and posts, potentially compromising the integrity of the website. Users are urged to update their installations to secure their sites against these unauthorized actions.",Wordpress,Essential WP Real Estate,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,false,false,false,2025-01-10T11:10:45.380Z,0
CVE-2024-12067,https://securityvulnerability.io/vulnerability/CVE-2024-12067,SQL Injection Vulnerability in WP Travel Booking System by WordPress,"The WP Travel – Ultimate Travel Booking System, a plugin for WordPress, is exposed to SQL Injection through the 'booking_itinerary' parameter in the 'wptravel_get_booking_data' function. This vulnerability arises from inadequate escaping of user-supplied input and poor formulation of the SQL query, allowing authenticated attackers with Subscriber-level access or higher to inject additional SQL commands into existing queries. This exploitation can lead to unauthorized access and extraction of sensitive data stored in the database, posing a significant risk to users' confidential information.",Wordpress,"WP Travel – Ultimate Travel Booking System, Tour Management Engine",6.5,MEDIUM,0.0007900000200606883,false,,false,false,false,false,false,false,2025-01-09T11:10:57.510Z,0
CVE-2024-12330,https://securityvulnerability.io/vulnerability/CVE-2024-12330,Sensitive Information Exposure in WP Database Backup Plugin by Backup for WP,"The WP Database Backup – Unlimited Database & Files Backup plugin for WordPress is susceptible to a security flaw that allows unauthorized users to access backup files publicly. This vulnerability enables attackers to retrieve sensitive information saved within the database, posing significant risks to personal and organizational data privacy.",Wordpress,WP Database Backup – Unlimited Database & Files Backup By Backup For WP,7.5,HIGH,0.0006399999838322401,false,,false,false,false,false,false,false,2025-01-09T11:10:56.083Z,0
CVE-2024-11816,https://securityvulnerability.io/vulnerability/CVE-2024-11816,Remote Code Execution Vulnerability in WP Extended Plugin for WordPress,"The WP Extended plugin for WordPress is exposed to a vulnerability that permits authenticated attackers with Subscriber-level access or higher to execute arbitrary code on the server. This vulnerability arises from the absence of a capability check in the 'wpext_handle_snippet_update' function. If an admin has created at least one code snippet, this weakness can be exploited, leading to severe security risks for affected WordPress installations.",Wordpress,The Ultimate WordPress Toolkit – WP Extended,8.8,HIGH,0.0006399999838322401,false,,false,false,false,false,false,false,2025-01-08T03:18:11.444Z,0
CVE-2024-11916,https://securityvulnerability.io/vulnerability/CVE-2024-11916,Unauthorized Data Manipulation in WP Extended Plugin for WordPress,"The WP Extended plugin for WordPress is susceptible to unauthorized modification and retrieval of sensitive data due to inadequate capability checks in its functions. This vulnerability can be exploited by authenticated users with subscriber-level or higher privileges, allowing them to import and execute arbitrary code snippets. As a result, attackers may gain access to restricted functionalities, threatening the integrity and security of the WordPress installation.",Wordpress,The Ultimate WordPress Toolkit – WP Extended,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,false,false,false,2025-01-08T03:18:10.667Z,0