Wordfence Intelligence Weekly WordPress Vulnerability Report (December 16, 2024 to January 5, 2025)

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Special Note: This weeks Wordfence Intelligence Weekly WordPress Vulnerability Report is an extended edition to cover the last few weeks in December over the holidays and the first week in January.

Over the past three weeks, there were 348 vulnerabilities disclosed in 291 WordPress Plugins and 11 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 84 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 21,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• ALL In One Custom Login Page <= 7.1.1 – Missing Authorization to Authenticated (Subscriber+)Privilege Escalation
• MainWP Child <= 5.2 – Missing Authorization to Unauthenticated Privilege Escalation
• WAF-RULE-789 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-790 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-791 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-792 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rafie Muhammad	33
João Pedro Soares de Alcântara	27
SOPROBRO	24
vgo0	21
Mika	20
Peter Thaleikis	17
Francesco Carlucci	12
Bonds	9
theviper17y	9
zaim	7
Lucio Sá	7
0xd4rk5id3	7
mikemyers	6
ardias	6
Trương Hữu Phúc (truonghuuphuc)	6
Dave Jong	6
yudha	5
Le Ngoc Anh	5
stealthcopter	5
Webbernaut	5
Gab	5
Bob Matyas	4
Tonn	4
thiennv	4
LVT-tholv2k	4
Thanh Nam Tran	3
Webula	3
shaman0x01	3
Max Boll (_b0lli)	3
Michael	3
Tieu Pham Trong Nhan	3
I8BL	3
Arkadiusz Hydzik	3
zer0gh0st	3
Robert DeVore	3
Fariq Fadillah Gusti Insani (fariqfgi)	2
wesley (wcraft)	2
Colin Xu	2
Ankit Patel	2
Jingle Bells	2
zakaria	2
Thái An (Thái An)	2
Pham Van Tam	2
Marek Mikita	2
b4orvn	2
l8BL	2
Hakiduck	1
Brian Sans-Souci (liardom)	1
Steven Pereira	1
Muktanand Kale	1
Ibnu Ubaeydillah	1
trongnb02	1
TANG Cheuk Hei (siunam)	1
Zlrqh	1
Jay Nguyen	1
ghsinfosec	1
Xiaoyong Wu	1
nvthien	1
Régis SENET	1
David Gallagher (BatFeats)	1
Jorge Diaz (ddiax)	1
Abdi Pranata	1
Khalid Yusuf	1
NAWardRox	1
Noah Stead (TurtleBurg)	1
Dhabaleshwar Das	1
M.Awad	1
sterva	1
minhtuanact	1
Vincent Fourcade (vinceMatsui)	1
Khang Duong	1
Hassan Khan Yusufzai - Splint3r7	1
Akbar Kustirama	1
Apostolos Sakellariou	1
incognito	1
Dimas Maulana	1
Joshua Chan	1
satrya wira yudha	1
tahu.datar	1
渡辺康介	1
hunter85	1
Ivan Kuzymchak	1
Sajjad Ahmad (jack_sparrow)	1
Emiliano Versini	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Dynamics 365 Integration <= 1.3.23 - Authenticated (Contributor+) Remote Code Execution and Arbitrary File Read via Twig Server-Side Template Injection

9.9

CVSS Rating
Critical (9.9)

CVE-ID
CVE-2024-12583

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Dynamics 365 Integration

Researcher

Peter Thaleikis

More Details >

Ach Invoice App <= 1.0.1 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-22364

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ACH Invoicing Plugin

Researcher

tahu.datar

More Details >

AdForest <= 5.1.6 - Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11349

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
AdForest

Researcher

Tonn

More Details >

AdForest <= 5.1.6 - Privilege Escalation via Password Reset/Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11350

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
AdForest

Researcher

Tonn

More Details >

Agency Toolkit <= 1.0.23 - Missing Authorization to Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
Unknown

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Agency Toolkit

Researcher(s): Unknown

More Details >

AI Magic <= 1.0.4 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56205

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
AI Magic – SEO Content Generator & Article Writer

Researcher

Mika

More Details >

ARPrice <= 4.0.3 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-49688

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ARPrice - WordPress Pricing Table Plugin

Researcher

Bonds

More Details >

Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12287

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Biagiotti Membership

Researcher

Tonn

More Details >

Computer Repair Shop <= 3.8119 - Authenticated (Customer+) Privilege Esclation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56061

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
CRM WordPress Plugin – RepairBuddy

Researcher

SOPROBRO

More Details >

Fancy Product Designer <= 6.4.3 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-51919

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Fancy Product Designer

Researcher

Rafie Muhammad

More Details >

JobBoard Job listing <= 1.2.6 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-43243

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
JobBoard Job listing plugin

Researcher

ardias

More Details >

Locatoraid Store Locator <= 3.9.50 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56283

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Locatoraid Store Locator

Researcher

LVT-tholv2k

More Details >

Partners <= 0.2.0 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56059

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Partners

Researcher

Le Ngoc Anh

More Details >

PlainInventory <= 3.1.6 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56291

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
PlainInventory – Inventory Management Plugin

Researcher

LVT-tholv2k

More Details >

Private Messages for UserPro <= 4.10.0 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-22311

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
userpro-messaging

Researcher

Bonds

More Details >

Simple Dashboard <= 2.0 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56071

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
Simple Dashboard

Researcher

Mika

More Details >

SSL Wireless SMS Notification <= 3.5.0 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56220

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
SSL Wireless SMS Notification

Researcher

Bonds

More Details >

Store Locator <= 3.98.10 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12571

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Store Locator for WordPress with Google Maps – LotsOfLocales

Researcher

Jay Nguyen

More Details >

Userpro <= 5.1.9 - Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56214

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
UserPro - Community and User Profile WordPress Plugin

Researcher

Rafie Muhammad

More Details >

VibeBP <= 1.9.9.4.1 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56040

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
VibeBP

Researcher

Rafie Muhammad

More Details >

VRPConnector <= 2.0.1 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56058

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
VRPConnector

Researcher

Le Ngoc Anh

More Details >

WooCommerce Point of Sale <= 6.1.0 - Insecure Direct Object Reference to Privilege Escalation via Arbitrary User Email Change

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11281

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
WooCommerce Point of Sale

Researcher

Tonn

More Details >

WP SuperBackup <= 2.3.3 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56064

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Dave Jong

More Details >

WPGuppy <= 1.1.0 - Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-49222

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
One to one user Chat by WPGuppy

Researcher

I8BL

More Details >

WPLMS <= 1.9.9 - Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56046

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS <= 1.9.9 - Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-56043

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value

9.6

CVSS Rating
Critical (9.6)

CVE-ID
CVE-2024-12626

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress

Researcher

Vincent Fourcade (vinceMatsui)

More Details >

Accessibility by AllAccessible <= 1.3.4 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-49644

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Accessibility by AllAccessible

Researcher

Mika

More Details >

ALL In One Custom Login Page <= 7.1.1 - Missing Authorization to Authenticated (Subscriber+)Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12594

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login Url

Researcher

Lucio Sá

More Details >

ARPrice <= 4.0.3 - Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-49699

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ARPrice - WordPress Pricing Table Plugin

Researcher

Bonds

More Details >

Backup Migration <= 1.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialize_replace'

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-10932

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Backup Migration

Researcher

Webbernaut

More Details >

CRM WordPress Plugin – RepairBuddy <= 3.8120 - Missing Authorization to Account Takeover/Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12259

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
CRM WordPress Plugin – RepairBuddy

Researcher

Thanh Nam Tran

More Details >

Dynamic Product Category Grid, Slider for WooCommerce <= 1.1.3 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56230

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Dynamic Product Category Grid, Slider for WooCommerce

Researcher

João Pedro Soares de Alcântara

More Details >

eCommerce Product Catalog Plugin for WordPress <= 3.3.43 - Cross-Site Request Forgery to Password Reset

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12771

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
eCommerce Product Catalog Plugin for WordPress

Researcher

shaman0x01

More Details >

Eventin <= 4.0.7 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56213

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin

Researcher

João Pedro Soares de Alcântara

More Details >

PlugVersions – Easily rollback to previous versions of your plugins <= 0.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Creation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12881

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
PlugVersions – Easily rollback to previous versions of your plugins

Researcher

Arkadiusz Hydzik

More Details >

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241114 - Authenticated (Contributor+) Sensitive Information Exposure

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-8326

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions

Researcher

wesley (wcraft)

More Details >

Sinking Dropdowns <= 1.25 - Cross-Site Request Forgery

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56204

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
Sinking Dropdowns WordPress

Researcher

Mika

More Details >

SMSA Shipping(official) <= 2.2 - Authenticated (Subscriber+) Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12066

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
SMSA Shipping (official)

Researcher

Brian Sans-Souci (liardom)

More Details >

Themify Builder <= 7.6.3 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56216

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Themify Builder

Researcher

João Pedro Soares de Alcântara

More Details >

UpdraftPlus: WP Backup & Migration Plugin 1.23.8 - 1.24.11 - Unauthenticated PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-10957

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
UpdraftPlus: WP Backup & Migration Plugin

Researcher

Webbernaut

More Details >

User Role Editor <= 4.64.3 - Cross-Site Request Forgery to Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12293

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
User Role Editor

Researcher

vgo0

More Details >

Wayne Audio Player <= 1.0 - Cross-Site Request Forgery to Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56203

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
Wayne Audio Player

Researcher

Mika

More Details >

WP SuperBackup <= 2.3.3 - Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56068

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Dave Jong

More Details >

WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor <= 1.3.7 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-12272

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor

Researcher

Webbernaut

More Details >

WPGuppy <= 1.1.0 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56280

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
One to one user Chat by WPGuppy

Researcher

I8BL

More Details >

WPLMS < 1.9.9.5 - Authenticated (Student+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56051

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.2 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56057

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.2 - Authenticated (Instructor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56054

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.2 - Authenticated (Student+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56052

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.3 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56050

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS <= 1.9.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56048

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPMozo Addons Lite for Elementor <= 1.1.0 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56282

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WPMozo Addons Lite for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

워드프레스 결제 심플페이 <= 5.2.0 - Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-56281

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Researcher

Peter Thaleikis

More Details >

Interactive UK Map <= 3.4.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2024-56267

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Interactive UK Map

Researcher

SOPROBRO

More Details >

WPLMS < 1.9.9.5 - Unauthenticated Arbitrary Directory Deletion

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2024-56045

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPC Shop as a Customer for WooCommerce <= 1.2.8 - Authentication Bypass Due to Insufficiently Unique Key

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-12432

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPC Shop as a Customer for WooCommerce

Researcher

Thanh Nam Tran

More Details >

WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import

7.6

CVSS Rating
High (7.6)

CVE-ID
CVE-2024-9624

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
WP All Import Pro

Researcher

Ivan Kuzymchak

More Details >

ARPrice <= 4.0.3 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-49655

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ARPrice - WordPress Pricing Table Plugin

Researcher

Bonds

More Details >

Collapsing Categories <= 3.0.8 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12025

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Collapsing Categories

Researcher

mikemyers

More Details >

Fancy Product Designer <= 6.4.3 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-51818

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Fancy Product Designer

Researcher

Rafie Muhammad

More Details >

Multiple Shipping And Billing Address For Woocommerce <= 1.2 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-56290

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Multiple Shipping And Billing Address For Woocommerce

Researcher

LVT-tholv2k

More Details >

SSL Wireless SMS Notification <= 3.5.0 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-56284

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
SSL Wireless SMS Notification

Researcher

LVT-tholv2k

More Details >

Traveler <= 3.1.6 - Unauthenticated SQL Injection via order_id

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-11912

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Travel Booking WordPress Theme

Researcher

Lucio Sá

More Details >

VibeBP < 1.9.9.7.7 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-56039

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
VibeBP

Researcher

Rafie Muhammad

More Details >

WP Data Access – App, Table, Form and Chart Builder plugin <= 5.5.22 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-12428

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
WP Data Access – App, Table, Form and Chart Builder plugin

Researcher

mikemyers

More Details >

WP SuperBackup <= 2.3.3 - Missing Authorization to Unauthenticated Back-Up File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-56067

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Dave Jong

More Details >

WPLMS < 1.9.9.5.3 - Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2024-56042

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
wplms-plugin

Researcher

Rafie Muhammad

More Details >

Download Manager <= 3.3.03 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-11740

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Download Manager

Researcher

mikemyers

More Details >

kk Star Ratings – Rate Post & Collect User Feedbacks <= 5.4.10 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-11977

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
kk Star Ratings – Rate Post & Collect User Feedbacks

Researcher

mikemyers

More Details >

WordPress Popular Posts <= 7.1.0 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-11733

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WordPress Popular Posts

Researcher

mikemyers

More Details >

ACF City Selector <= 1.14.0 - Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-56264

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
ACF City Selector

Researcher

ardias

More Details >

Classic Addons – WPBakery Page Builder <= 3.0 - Authenticated (Editor+) Local File Inclusion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-56286

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Classic Addons – WPBakery Page Builder

Researcher

João Pedro Soares de Alcântara

More Details >

Custom Product Tabs For WooCommerce <= 1.2.4 - Authenticated (Shop Manager+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-12721

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
Custom Product tabs for WooCommerce

Researcher

Francesco Carlucci

More Details >

EventPrime – Events Calendar, Bookings and Tickets <= 4.0.5.3 - Unauthenticated Stored Cross-Site Scripting via Ticket Category and Ticket Type Name

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-12024

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
EventPrime – Events Calendar, Bookings and Tickets

Researcher

zer0gh0st

More Details >

Kintpv Wooconnect <= 8.129 - Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-56233

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Kintpv Wooconnect

Researcher

theviper17y

More Details >

Tour Master - Tour Booking, Travel, Hotel < 5.3.4 - Unauthenticated Stored Cross-Site Scripting via Room Booking

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-11356

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Tour Master - Tour Booking, Travel, Hotel

Researcher

Bob Matyas

More Details >

WPMasterToolKit <= 1.13.1 - Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2024-56249

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
WPMasterToolKit (WPMTK) – All in one plugin

Researcher

l8BL

More Details >

WPLMS < 1.9.9.5.2 - Authenticated (Contributor+) Arbitrary Directory Deletion

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-56055

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.2 - Authenticated (Subscriber+) Arbitrary File Deletion

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2024-56049

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

Advanced Floating Content <= 3.8.2 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12031

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Advanced Floating Content

Researcher

Thái An (Thái An)

More Details >

Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress <= 1.1.21 - Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11726

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress

Researcher

shaman0x01

More Details >

ARPrice <= 4.0.3 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-49666

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ARPrice - WordPress Pricing Table Plugin

Researcher

Bonds

More Details >

Booking Calendar WpDevArt <= 3.2.19 - Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-10856

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Booking calendar, Appointment Booking System

Researcher

Peter Thaleikis

More Details >

DynamicTags <= 1.4.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22348

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
DynamicTags

Researcher

João Pedro Soares de Alcântara

More Details >

ELEX WooCommerce Dynamic Pricing and Discounts <= 2.1.7 - Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12266

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
ELEX WooCommerce Dynamic Pricing and Discounts

Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-49303

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Hero Mega Menu - Responsive WordPress Menu Plugin

Researcher

Bonds

More Details >

Hero Mega Menu - Responsive WordPress Menu Plugin <= 1.16.5 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-49333

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Hero Mega Menu - Responsive WordPress Menu Plugin

Researcher

Bonds

More Details >

JSP Store Locator <= 1.0 - Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11267

Patch Status
Unpatched

Published
Dec 27, 2024

Affected Software
JSP Store Locator

Researcher

Régis SENET

More Details >

Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12032

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking

Researcher

Thái An (Thái An)

More Details >

Traveler <= 3.1.6 - Missing Authorization in Several AJAX Actions

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-11926

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Travel Booking WordPress Theme

Researcher

Lucio Sá

More Details >

Userpro <= 5.1.9 - Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-56212

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
UserPro - Community and User Profile WordPress Plugin

Researcher

Rafie Muhammad

More Details >

VibeBP < 1.9.9.5.1 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-56041

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
VibeBP

Researcher

Rafie Muhammad

More Details >

WP BASE Booking of Appointments, Services and Events <= 4.9.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via app_export_db

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12558

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
WP BASE Booking of Appointments, Services and Events

Researcher

Thanh Nam Tran

More Details >

WP Docs <= 2.2.0 - Authenticated (Subscriber+) Time-Based SQL Injection via 'dir_id'

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12635

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
WP Docs

Researcher

Arkadiusz Hydzik

More Details >

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.16 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-12195

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Project Manager <= 2.6.15 - Authenticated (Subscriber+) Sensitive Information Exposure via Project Task List REST API

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-10548

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts

Researcher

Noah Stead (TurtleBurg)

More Details >

WPLMS < 1.9.9.5.3 - Authenticated (Instructor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-56053

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPLMS < 1.9.9.5.3 - Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-56047

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

Animated Counters <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11905

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Animated Counters

Researcher

theviper17y

More Details >

Arconix Shortcodes <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56242

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Arconix Shortcodes

Researcher

Peter Thaleikis

More Details >

Astra Widgets <= 1.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56274

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Astra Widgets

Researcher

João Pedro Soares de Alcântara

More Details >

Barter <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-54346

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Barter

Researcher

stealthcopter

More Details >

Category Post Shortcode <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56021

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Category Post Shortcode

Researcher

0xd4rk5id3

More Details >

Category Post Slider <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11878

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Category Post Slider

Researcher

Peter Thaleikis

More Details >

Coins MarketCap <= 5.5.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56257

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Coins MarketCap

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Compact WP Audio Player <= 1.9.14 - Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56279

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Compact WP Audio Player

Researcher

theviper17y

More Details >

Contest Gallery <= 24.0.3 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56237

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons

Researcher

thiennv

More Details >

Contests by Rewards Fuel <= 2.0.65 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12513

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Contests by Rewards Fuel

Researcher

zakaria

More Details >

ConvertCalculator for WordPress <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56302

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
ConvertCalculator for WordPress

Researcher

theviper17y

More Details >

Coupon <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56235

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Coupon Plugin

Researcher

Gab

More Details >

CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12443

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout

Researcher

zaim

More Details >

Digi Store <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22354

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Digi Store

Researcher

stealthcopter

More Details >

Easy Waveform Player <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11881

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Easy Waveform Player

Researcher

Peter Thaleikis

More Details >

Education LMS <= 0.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22334

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Education LMS

Researcher

Michael

More Details >

Elementor Header & Footer Builder <= 1.6.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11230

Patch Status
Patched

Published
Dec 22, 2024

Affected Software
Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)

Researcher

wesley (wcraft)

More Details >

Elementor Website Builder – More than Just a Page Builder <= 3.25.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typography Settings

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-10453

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
Elementor Website Builder – More Than Just a Page Builder

Researcher

zer0gh0st

More Details >

ElementsCSS Addons for Elementor <= 1.0.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22321

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ElementsCSS Addons for Elementor (Elementor Widgets Extender & Addons)

Researcher

Michael

More Details >

Embed Twine <= 0.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12509

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Embed Twine

Researcher

SOPROBRO

More Details >

EMC2 Alert Boxes <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22365

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
EMC2 Alert Boxes

Researcher

0xd4rk5id3

More Details >

Enter Addons <= 2.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56252

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Enter Addons – Ultimate Template Builder for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Envato Elements <= 2.0.14 - Authenticated (Author+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56275

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Envato Elements – Photos & Elementor Templates

Researcher

Rafie Muhammad

More Details >

EO4WP <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22327

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
EO4WP: EmailOctopus for WordPress

Researcher

SOPROBRO

More Details >

Essential Addons for Elementor <= 6.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56063

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders

Researcher

João Pedro Soares de Alcântara

More Details >

Financial Calculator <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11783

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Financial Calculator

Researcher

Peter Thaleikis

More Details >

GeoDirectory <= 2.3.84 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56259

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Researcher

João Pedro Soares de Alcântara

More Details >

Goodlayers Core <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11357

Patch Status
Patched

Published
Jan 2, 2025

Affected Software
Goodlayers Core

Researcher

Bob Matyas

More Details >

GS Coaches <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56262

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
GS Coaches

Researcher

SOPROBRO

More Details >

GS Shots for Dribbble <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56263

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
GS Shots for Dribbble

Researcher

SOPROBRO

More Details >

Image Hover Effects for Elementor <= 1.0.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22323

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Image Hover Effects for Elementor

Researcher

Gab

More Details >

Inline Footnotes <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56019

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Inline Footnotes

Researcher

0xd4rk5id3

More Details >

Ledenbeheer <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56224

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Ledenbeheer

Researcher

SOPROBRO

More Details >

Loan Comparison <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12814

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Loan Comparison

Researcher

SOPROBRO

More Details >

Magazine Blocks <= 1.3.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56258

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid

Researcher

João Pedro Soares de Alcântara

More Details >

MagicPost <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wb_share_social Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12591

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
MagicPost – WordPress文章管理功能增强插件

Researcher

SOPROBRO

More Details >

Move Addons for Elementor <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56254

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Move Addons for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

Multi-column Tag Map <= 17.0.33 - Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11196

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Multi-column Tag Map

Researcher

Peter Thaleikis

More Details >

NACC WordPress Plugin <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12506

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
NACC WordPress Plugin

Researcher

yudha

More Details >

NewsDaily <= 1.0.60 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56208

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
NewsDaily

Researcher

stealthcopter

More Details >

Nexter Blocks <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56246

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Researcher

João Pedro Soares de Alcântara

More Details >

NinjaTeam Chat for Telegram <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11885

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
NinjaTeam Chat for Telegram

Researcher

Peter Thaleikis

More Details >

One Click Upsell Funnel for WooCommerce <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via wps_wocuf_pro_yes Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11938

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder

Researcher

Peter Thaleikis

More Details >

Optio Dentistry <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12507

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Optio Dentistry

Researcher

yudha

More Details >

Outdooractive Embed <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11774

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Outdooractive Embed

Researcher

zaim

More Details >

Particle Background <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11775

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Particle Background

Researcher

zaim

More Details >

PCRecruiter Extensions <= 1.4.22 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11776

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
PCRecruiter Extensions

Researcher

yudha

More Details >

Philantro – Donations and Donor Management <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12500

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Philantro – Donations and Donor Management

Researcher

yudha

More Details >

Piotnet Addons For Elementor <= 2.4.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22333

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Piotnet Addons For Elementor

Researcher

Robert DeVore

More Details >

Portfolio – Filterable Masonry Portfolio Gallery for Professionals <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11900

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Portfolio – Filterable Masonry Portfolio Gallery for Professionals

Researcher

Peter Thaleikis

More Details >

Post Grid Elementor Addon <= 2.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56268

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Post Grid Elementor Addon

Researcher

ghsinfosec

More Details >

Premium Blocks – Gutenberg Blocks for WordPress <= 2.1.42 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56245

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Premium Blocks – Gutenberg Blocks for WordPress

Researcher

João Pedro Soares de Alcântara

More Details >

Project Showcase <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56261

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Project Showcase – A WordPress Plugin to Display Projects in Various Layouts

Researcher

SOPROBRO

More Details >

Pronamic Google Maps <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56240

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Pronamic Google Maps

Researcher

Peter Thaleikis

More Details >

real.Kit <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12697

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
real.Kit

Researcher

SOPROBRO

More Details >

Responsive Blocks – WordPress Gutenberg Blocks <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12268

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Responsive Blocks – WordPress Gutenberg Blocks

Researcher

theviper17y

More Details >

Royal Elementor Addons <= 1.3.987 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56062

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Robert DeVore

More Details >

SaasPricing <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56231

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
SaasPricing – Pricing Table, Price list, Comparison Table for Elementor

Researcher

Gab

More Details >

ScanCircle <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11439

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
ScanCircle

Researcher

zakaria

More Details >

Sell Tickets Online – TicketSource Ticket Shop for WordPress <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11784

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
TicketSource Ticket Shop

Researcher

theviper17y

More Details >

shMapper by Teplitsa <= 1.4.18 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12518

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
ShMapper by Teplitsa

Researcher

Peter Thaleikis

More Details >

ShopElement <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56260

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
ShopElement

Researcher

Gab

More Details >

Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9545

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Shortcodes and extra features for Phlox theme

Researcher

David Gallagher (BatFeats)

More Details >

Shortcodes and extra features for Phlox theme <= 2.16.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12588

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Shortcodes and extra features for Phlox theme

Researcher

zer0gh0st

More Details >

Slope Widgets <= 4.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11902

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Slope Widgets

Researcher

zaim

More Details >

Spoki – Chat Buttons and WooCommerce Notifications <= 2.15.14 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11893

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Spoki – Chat Buttons and WooCommerce Notifications

Researcher

theviper17y

More Details >

Spotlightr <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11411

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Spotlightr

Researcher

SOPROBRO

More Details >

Store Commerce <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22339

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Store Commerce

Researcher

Michael

More Details >

SvegliaT Buttons <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56020

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
SvegliaT Buttons

Researcher

0xd4rk5id3

More Details >

Tabs Shortcode <= 2.0.2 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11606

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Tabs Shortcode

Researcher

Bob Matyas

More Details >

Taeggie Feed <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11748

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Taeggie Feed

Researcher

theviper17y

More Details >

Taskbuilder – WordPress Project & Task Management plugin <= 3.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via wppm_tasks Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11930

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Taskbuilder – WordPress Project & Task Management plugin

Researcher

Peter Thaleikis

More Details >

Text Prompter – Unlimited chatgpt text prompts for openai tasks <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11896

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Text Prompter – Unlimited chatgpt text prompts for openai tasks

Researcher

zaim

More Details >

Themify Audio Dock <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56239

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Themify Audio Dock

Researcher

SOPROBRO

More Details >

TPG Get Posts <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-11906

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
TPG Get Posts

Researcher

theviper17y

More Details >

Tracking Code Manager <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-8721

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Tracking Code Manager

Researcher

TANG Cheuk Hei (siunam)

More Details >

Video Share VOD – Turnkey Video Site Builder Script <= 2.6.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12449

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Video Share VOD – Turnkey Video Site Builder Script

Researcher

zaim

More Details >

WordPress Simple Shopping Cart <= 5.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12622

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
WordPress Simple Shopping Cart

Researcher

yudha

More Details >

WP jQuery DataTable <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56287

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP jQuery DataTable

Researcher

zaim

More Details >

WP Multi Store Locator <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-12475

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Multi Store Locator

Researcher

SOPROBRO

More Details >

WP SHAPES <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9619

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
WP SHAPES

Researcher

Francesco Carlucci

More Details >

WPAchievements Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22362

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
WPAchievements Free

Researcher

0xd4rk5id3

More Details >

WPBITS Addons For Elementor Page Builder <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56285

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WPBITS Addons For Elementor Page Builder

Researcher

Robert DeVore

More Details >

WPKoi Templates for Elementor <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56241

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
WPKoi Templates for Elementor

Researcher

João Pedro Soares de Alcântara

More Details >

WPMozo Addons Lite for Elementor <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-56221

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
WPMozo Addons Lite for Elementor

Researcher

Gab

More Details >

Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.22 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2024-12238

Patch Status
Patched

Published
Dec 28, 2024

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You

Researcher

mikemyers

More Details >

10CentMail <= 2.1.50 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56030

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
10CentMail

Researcher

João Pedro Soares de Alcântara

More Details >

5centsCDN <= 24.8.16 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22326

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
5centsCDN – WordPress CDN Plugin

Researcher

João Pedro Soares de Alcântara

More Details >

AdWork Media EZ Content Locker <= 3.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56025

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
AdWork Media EZ Content Locker

Researcher

João Pedro Soares de Alcântara

More Details >

Affiliate Program Suite — SliceWP Affiliates <= 1.1.23 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12454

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Affiliate Program Suite — SliceWP Affiliates

Researcher

vgo0

More Details >

AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11254

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
AMP for WP – Accelerated Mobile Pages

Researcher

Xiaoyong Wu

More Details >

Autocompleter <= 1.3.5.2 - Cross-Site Request Forgery

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22325

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Autocompleter

Researcher

SOPROBRO

More Details >

Bitcoin Lightning Publisher for WordPress <= 1.4.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12100

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Bitcoin Lightning Publisher for WordPress

Researcher

0xd4rk5id3

More Details >

BU Section Editing <= 0.9.9 - Reflected Cross-Site Scripting via [placeholder]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56018

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
BU Section Editing

Researcher

João Pedro Soares de Alcântara

More Details >

BVD Easy Gallery Manager <= 1.0.6 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22353

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
BVD Easy Gallery Manager

Researcher

stealthcopter

More Details >

Contact Form Master <= 1.0.7 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12587

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Contact Form Master – by Edmon

Researcher

Hassan Khan Yusufzai - Splint3r7

More Details >

Custom Dashboard Widget <= 1.0.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56024

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Custom Dashboard Widget

Researcher

Le Ngoc Anh

More Details >

Easy Language Switcher <= 1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56029

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Easy Language Switcher

Researcher

João Pedro Soares de Alcântara

More Details >

Ebook Store <= 5.8001 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11287

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Ebook Store

Researcher

Peter Thaleikis

More Details >

Ebook Store <= 5.8001 - Reflected Cross-Site Scripting via 'step'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12262

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Ebook Store

Researcher

nvthien

More Details >

Export Customers Data <= 1.2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12405

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Export Customers Data

Researcher

vgo0

More Details >

FAQs <= 1.0.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56033

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
FAQs

Researcher

ardias

More Details >

Feedify – Web Push Notifications <= 2.4.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11811

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
Feedify – Web Push Notifications

Researcher

vgo0

More Details >

FV Descriptions <= 1.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56032

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
FV Descriptions

Researcher

ardias

More Details >

G Web Pro Store Locator <= 2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11682

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
G Web Pro Store Locator

Researcher

vgo0

More Details >

Groundhogg <= 3.7.3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56289

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Researcher

Webula

More Details >

Gulri Slider <= 3.5.8 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56223

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Gulri Slider

Researcher

thiennv

More Details >

HTML Forms <= 1.4.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56060

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
HTML Forms – Simple WordPress Forms Plugin

Researcher

Peter Thaleikis

More Details >

Image Mapper <= 0.2.5.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56016

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Image Mapper

Researcher

Mika

More Details >

isee-products-extractor <= 2.1.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11331

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
استخراج محصولات ووکامرس برای آیسی

Researcher

vgo0

More Details >

Kikx Simple Post Author Filter <= 1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22355

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Kikx Simple Post Author Filter

Researcher

João Pedro Soares de Alcântara

More Details >

Kleo < 5.4.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56209

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
KLEO - Community Focused & Multi-Purpose BuddyPress WordPress Theme

Researcher

Rafie Muhammad

More Details >

LaTeX2HTML <= 2.5.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11688

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
LaTeX2HTML

Researcher

vgo0

More Details >

Leads CRM <= 2.0.13 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56027

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Leads CRM for WordPress WooCommerce

Researcher

Mika

More Details >

Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS <= 0.0.21 - Reflected Cross-Site Scripting via page Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12127

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS

Researcher

vgo0

More Details >

Lemonade Social Networks Autoposter Pinterest <= 2.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56028

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Lemonade Social Networks Autoposter Pinterest

Researcher

Mika

More Details >

Mang Board WP <= 1.8.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56296

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Mang Board WP

Researcher

trongnb02

More Details >

Media Library Assistant <= 3.23 - Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11974

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Media Library Assistant

Researcher

vgo0

More Details >

NAVER Analytics <= 0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-51700

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
NAVER Analytics

Researcher

渡辺康介

More Details >

Notify Odoo <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56299

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Notify Odoo

Researcher

SOPROBRO

More Details >

odPhotogallery <= 0.5.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56036

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
odPhotogalleryPlugin

Researcher

João Pedro Soares de Alcântara

More Details >

Olivia <= 0.9.5 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56014

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Olivia

Researcher

0xd4rk5id3

More Details >

Pingmeter Uptime Monitoring <= 1.0.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11808

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Pingmeter Uptime Monitoring

Researcher

vgo0

More Details >

PKT1 Centro de envios <= 1.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11806

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
PKT1 Centro de envios

Researcher

vgo0

More Details >

PowerPack Lite for Beaver Builder <= 1.3.0.5 - Reflected Cross-Site Scripting via Navigate Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12239

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
PowerPack Lite for Beaver Builder

Researcher

Le Ngoc Anh

More Details >

Preloader by WordPress Monsters <= 1.2.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56022

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Preloader by WordPress Monsters

Researcher

ardias

More Details >

ProductDyno <= 1.0.24 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22320

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ProductDyno

Researcher

Jorge Diaz (ddiax)

More Details >

Reactflow Visitor Recording and Heatmaps <= 1.0.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11975

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Reactflow Visitor Recording and Heatmaps

Researcher

vgo0

More Details >

Royal Elementor Addons <= 1.7.1001 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56226

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Rafie Muhammad

More Details >

Saoshyant Element <= 1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-51646

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Saoshyant Element

Researcher

João Pedro Soares de Alcântara

More Details >

SendSMS <= 1.2.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56038

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
SendSMS

Researcher

João Pedro Soares de Alcântara

More Details >

Services updates for customers <= 1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56034

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Services updates for customers

Researcher

João Pedro Soares de Alcântara

More Details >

Simple Proxy <= 1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56026

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Simple Proxy

Researcher

Mika

More Details >

SMS for WooCommerce <= 2.8.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12220

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
SMS for WooCommerce

Researcher

vgo0

More Details >

Stop Registration Spam <= 1.23 - Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12219

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Stop Registration Spam

Researcher

vgo0

More Details >

SyncFields <= 2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22359

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
SyncFields

Researcher

thiennv

More Details >

Target Notifications <= 1.1.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22357

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Target Notifications

Researcher

João Pedro Soares de Alcântara

More Details >

Turnkey bbPress by WeaverTheme <= 1.6.3 - Reflected Cross-Site Scripting via _wpnonce Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12221

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Turnkey bbPress by WeaverTheme

Researcher

vgo0

More Details >

Upload Scanner <= 1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56035

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Upload Scanner

Researcher

Zlrqh

More Details >

User Referral <= 8.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56037

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
User Referral ( Free ) – Points, Rewards, Loyalty, Leader Board & Referrals Plugin

Researcher

SOPROBRO

More Details >

Userpro <= 5.1.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56210

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
UserPro - Community and User Profile WordPress Plugin

Researcher

Rafie Muhammad

More Details >

Wishlist for WooCommerce: Multi Wishlists Per Customer <= 3.1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56228

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Wishlist for WooCommerce: Multi Wishlists Per Customer

Researcher

Le Ngoc Anh

More Details >

Wizhi Multi Filters by Wenprise <= 1.8.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22336

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Wizhi Multi Filters by Wenprise

Researcher

SOPROBRO

More Details >

WooCommerce Additional Fees On Checkout (Free) <= 1.4.7 - Reflected Cross-Site Scripting via 'number'

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12395

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
WooCommerce Additional Fees On Checkout (Free)

Researcher

vgo0

More Details >

WooCommerce PDF Vouchers < 4.9.9 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56265

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
WooCommerce - PDF Vouchers

Researcher

Bonds

More Details >

Wp advertising management <= 1.0.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22358

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Wp advertising management

Researcher

Dimas Maulana

More Details >

WP BASE Booking of Appointments, Services and Events <= 4.9.1 - Reflected Cross-Site Scripting via status Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12469

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
WP BASE Booking of Appointments, Services and Events

Researcher

vgo0

More Details >

WP Compress – Instant Performance & Speed Optimization <= 6.30.03 - Reflected Cross-Site Scripting via custom_server Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12047

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Compress – Instant Performance & Speed Optimization

Researcher

vgo0

More Details >

WP Datepicker <= 2.1.4 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12468

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
WP Datepicker

Researcher

vgo0

More Details >

WP eCommerce Quickpay <= 1.1.0 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56023

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
WP eCommerce Quickpay

Researcher

Mika

More Details >

WP on AWS <= 5.2.1 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12408

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
WP on AWS

Researcher

vgo0

More Details >

WP Simple Sitemap <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22342

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
WP Simple Sitemap

Researcher

SOPROBRO

More Details >

WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12701

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Smart Import : Import any XML File to WordPress

Researcher

Colin Xu

More Details >

WP Social AutoConnect <= 4.6.2 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12279

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Social AutoConnect

Researcher

vgo0

More Details >

WP SuperBackup <= 2.3.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-56069

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Dave Jong

More Details >

WP-Appbox <= 4.5.3 - Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-12710

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
WP-Appbox

Researcher

Colin Xu

More Details >

wpSOL <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-22343

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
wpSOL

Researcher

SOPROBRO

More Details >

Wtyczka SeoPilot dla WP <= 3.3.091 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2024-11812

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Wtyczka SeoPilot dla WP

Researcher

SOPROBRO

More Details >

Frontend Admin by DynamiApps <= 3.25.1 - Unauthenticated SQL Injection

5.9

CVSS Rating
Medium (5.9)

CVE-ID
CVE-2024-11722

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
Frontend Admin by DynamiApps

Researcher

Max Boll (_b0lli)

More Details >

Broken Link Checker | Finder <= 2.5.0 - Authenticated (Author+) Blind Server-Side Request Forgery

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12121

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Broken Link Checker | Finder

Researcher

Francesco Carlucci

More Details >

DirectoryPress <= 3.6.16 - Authenticated (Author+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-10584

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
DirectoryPress – Business Directory And Classified Ad Listing

Researcher

Tieu Pham Trong Nhan

More Details >

Peter’s Custom Anti-Spam <= 3.2.3 - Cross-Site Request Forgery via cas_register_post Function

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12554

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Peter’s Custom Anti-Spam

Researcher

SOPROBRO

More Details >

Scratch & Win – Giveaways and Contests <= 2.7.1 - Cross-Site Request Forgery via reset_installation Function

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12545

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more

Researcher

Peter Thaleikis

More Details >

WC Price History for Omnibus <= 2.1.3 - Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12617

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
WC Price History

Researcher

Lucio Sá

More Details >

WP Nice Loader <= 0.1.0.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-56232

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
WP Nice Loader

Researcher

SOPROBRO

More Details >

Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12250

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Accept Authorize.NET Payments Using Contact Form 7

Researcher

Joshua Chan

More Details >

Advanced Google reCAPTCHA <= 1.25 - Brute Force Protection IP Unblock

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12034

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Advanced Google reCAPTCHA

Researcher

Max Boll (_b0lli)

More Details >

Allada T-shirt Designer for Woocommerce <= 1.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22363

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Allada T-shirt Designer for Woocommerce – Custom Product Designer for T-shirt personalization and design

Researcher

Mika

More Details >

Calculated Fields Form <= 5.2.63 - Denial of Service

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12601

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Calculated Fields Form

Researcher

Max Boll (_b0lli)

More Details >

Content No Cache: prevent specific content from being cached <= 0.1.2 - Unauthenticated Private Content Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12103

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.

Researcher

Francesco Carlucci

More Details >

Download manager <= 3.3.03 - Improper Authorization to Unauthenticated Download of Password-Protected Files

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11768

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Download Manager

Researcher

Emiliano Versini

More Details >

Floating Action Buttons <= 0.9.1 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56238

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Floating Action Buttons

Researcher

Mika

More Details >

Hestia Nginx Cache <= 2.4.0 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56236

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Hestia Nginx Cache

Researcher

Marek Mikita

More Details >

MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution <= 2.0.00 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-12413

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution

Researcher

Lucio Sá

More Details >

Memberful <= 1.73.9 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11294

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Memberful – Membership Plugin

Researcher

Francesco Carlucci

More Details >

Page Restriction WordPress (WP) – Protect WP Pages/Post <= 1.3.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11297

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Page and Post Restriction

Researcher

Francesco Carlucci

More Details >

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11291

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Researcher

Francesco Carlucci

More Details >

Post/Page Copying Tool <= 2.0.0 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56300

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Post/Page Copying Tool to Export and Import post/page for Cross site Migration

Researcher

stealthcopter

More Details >

PPWP – Password Protect Pages <= 1.9.5 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11280

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
PPWP – Password Protect Pages

Researcher

Francesco Carlucci

More Details >

Simple Page Access Restriction <= 1.0.29 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11295

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Simple Page Access Restriction

Researcher

Francesco Carlucci

More Details >

Standard Box Sizes – for WooCommerce <= 1.6.12 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22318

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Standard Box Sizes – for WooCommerce

Researcher

Mika

More Details >

WP Menu Image <= 2.2 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-52485

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
WP Menu Image

Researcher

Marek Mikita

More Details >

WP SecureSubmit <= 1.5.16 - Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56270

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
WP SecureSubmit

Researcher

Mika

More Details >

WPLMS <= 1.9.9 - Missing Authorization to Unauthenticated User Token Generation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56044

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
WPLMS Learning Management System for WordPress, WordPress LMS

Researcher

Rafie Muhammad

More Details >

WPvivid Backup and Migration <= 0.9.106 - Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-56273

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Migration, Backup, Staging – WPvivid Backup & Migration

Researcher

Rafie Muhammad

More Details >

Contact Form 7 Database – CFDB7 <= 1.0.0 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22351

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Contact Form 7 Database – CFDB7

Researcher

João Pedro Soares de Alcântara

More Details >

Database Backup and check Tables Automated With Scheduler 2024 <= 2.32 - Authenticated (Admin+) Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-12850

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Database Backup and check Tables Automated With Scheduler 2024

Researcher

sterva

More Details >

Easy Digital Downloads <= 3.3.2 - Authenticated (Admin+) Arbitrary File Download

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-12875

Patch Status
Patched

Published
Dec 20, 2024

Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Researcher

Sajjad Ahmad (jack_sparrow)

More Details >

ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.8 - Authenticated (Shop manager+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22352

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes

Researcher

Webula

More Details >

Just Writing Statistics <= 4.7 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-56250

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Just Writing Statistics

Researcher

I8BL

More Details >

NEX-Forms <= 8.7.13 - Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-10862

Patch Status
Unpatched

Published
Dec 24, 2024

Affected Software
NEX-Forms – Ultimate Form Builder – Contact forms and much more

Researcher

M.Awad

More Details >

Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22350

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Ultimate Learning Pro

Researcher

Pham Van Tam

More Details >

WordPress Auction Plugin <= 3.7 - Authenticated (Editor+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-22349

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
WordPress Auction Plugin

Researcher

Hakiduck

More Details >

WP Post Author <= 3.8.2 - Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-56247

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder

Researcher

NAWardRox

More Details >

WPMasterToolKit <= 1.13.1 - Authenticated (Admin+) Arbitrary File Download

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2024-56248

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
WPMasterToolKit (WPMTK) – All in one plugin

Researcher

l8BL

More Details >

Advanced Form Integration <= 1.95.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56293

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
AFI – The Easiest Integration Plugin

Researcher

b4orvn

More Details >

Email Reminders <= 2.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56292

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Email Reminders

Researcher

Khang Duong

More Details >

Embed PDF Viewer <= 2.3.1 - Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56256

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Embed PDF Viewer

Researcher

Ibnu Ubaeydillah

More Details >

Highlight <= 2.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56297

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Highlight Sitewide Notice, Text, Button Menu

Researcher

Pham Van Tam

More Details >

Pretty Simple Popup Builder <= 1.0.9 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56298

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Pretty Simple Popup Builder

Researcher

satrya wira yudha

More Details >

Top Comments <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-12874

Patch Status
Unpatched

Published
Jan 2, 2025

Affected Software
Top Comments

Researchers

Steven Pereira

Muktanand Kale

More Details >

WP Docs <= 2.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2024-56288

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WP Docs

Researcher

b4orvn

More Details >

Animation Addons for Elementor <= 1.1.6 - Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12340

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Animation Addons for Elementor

Researcher

Ankit Patel

More Details >

Ashe Extra <= 1.2.92 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56244

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Ashe Extra

Researcher

Mika

More Details >

Avada Builder <= 3.11.12 - Authenticated (Contributor+) Protected Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12335

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
Avada (Fusion) Builder

Researcher

Webbernaut

More Details >

AyeCode Connect <= 1.3.8 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56255

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
AyeCode Connect

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

BSK Forms Blacklist <= 3.9 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22347

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
BSK Forms Blacklist

Researcher

minhtuanact

More Details >

Button Block – Get fully customizable & multi-functional buttons <= 1.1.5 - Authenticated (Contributor+) Post Disclosure via Post Duplication

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12560

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Button Block – Get fully customizable & multi-functional buttons

Researcher

Webbernaut

More Details >

CodeBard Help Desk <= 1.1.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56222

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
CodeBard Help Desk

Researcher

hunter85

More Details >

Contact Form 7 Dynamic Text Extension <= 5.0.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56218

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Contact Form 7 – Dynamic Text Extension

Researcher(s): Unknown

More Details >

Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder <= 2.17.3 - Missing Authorization to Authenticated (Subscriber+) Form Submission Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12190

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Researcher

Akbar Kustirama

More Details >

Contact Form by WPForms <= 1.9.2.2 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56276

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Researcher

Rafie Muhammad

More Details >

Data Tables Generator by Supsystic <= 1.10.36 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56253

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Data Tables Generator by Supsystic

Researcher

Jingle Bells

More Details >

Download Manager <= 3.3.03 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56217

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Download Manager

Researcher

Rafie Muhammad

More Details >

EditionGuard for WooCommerce – eBook Sales with DRM <= 3.4.2 - Cross-Site Request Forgery to Privilege Escalation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56207

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
EditionGuard for WooCommerce – eBook Sales with DRM

Researcher

Mika

More Details >

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.12 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-11852

Patch Status
Patched

Published
Dec 21, 2024

Affected Software
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows)

Researchers

Tieu Pham Trong Nhan

incognito

More Details >

ElementsReady Addons for Elementor <= 6.4.8 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10356

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
ElementsReady Addons for Elementor

Researcher

Ankit Patel

More Details >

Elevio <= 4.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22328

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Elevio

Researcher

SOPROBRO

More Details >

Event Espresso 4 Decaf <= 5.0.28.decaf - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56251

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
Event Espresso – Event Registration & Ticketing Sales

Researcher

Dhabaleshwar Das

More Details >

Events Addon for Elementor <= 2.2.3 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12061

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
Events Addon for Elementor

Researcher

Francesco Carlucci

More Details >

File Manager Pro – Filester <= 1.8.6 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12331

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
File Manager Pro – Filester

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Full Screen Menu for Elementor <= 1.0.7 - Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-10797

Patch Status
Unpatched

Published
Dec 20, 2024

Affected Software
Full Screen Menu for Elementor

Researcher

Francesco Carlucci

More Details >

gap-hub-user-role <= 3.4.1 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56206

Patch Status
Unpatched

Published
Dec 18, 2024

Affected Software
gap-hub-user-role.

Researcher

ardias

More Details >

Hide Category by User Role for WooCommerce <= 2.1.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56272

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
Hide Category by User Role for WooCommerce

Researcher

Mika

More Details >

JSP Store Locator <= 1.0 - Cross-Site Request Forgery to Store Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12301

Patch Status
Unpatched

Published
Dec 27, 2024

Affected Software
JSP Store Locator

Researcher

Bob Matyas

More Details >

LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes <= 7.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12596

Patch Status
Patched

Published
Dec 17, 2024

Affected Software
LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes

Researcher

Lucio Sá

More Details >

Maintenance & Coming Soon Redirect Animation <= 2.1.3 - Missing Authorization to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-9503

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
Maintenance & Coming Soon Redirect Animation

Researcher

Francesco Carlucci

More Details >

Member Directory and Contact Form <= 1.7.0 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56215

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Member Directory and Contact Form

Researcher

Mika

More Details >

MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 5.8 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56266

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Nexter Blocks <= 4.0.7 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56294

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Nexter Blocks – WordPress Gutenberg Blocks & 1000+ Starter Templates

Researcher

Khalid Yusuf

More Details >

Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.15 - Authenticated (Subscriber+) Limited Server-Side Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12237

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Photo Gallery Slideshow & Masonry Tiled Gallery

Researcher

shaman0x01

More Details >

Premium Addons for Elementor <= 4.10.56 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56225

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Premium Addons for Elementor

Researcher

Rafie Muhammad

More Details >

Print Invoice & Delivery Notes for WooCommerce <= 5.4.0 - Missing Authorization to Authenticated (Subscriber+) Logo Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12210

Patch Status
Patched

Published
Dec 23, 2024

Affected Software
Print Invoice & Delivery Notes for WooCommerce

Researcher

Tieu Pham Trong Nhan

More Details >

Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.2.7 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12636

Patch Status
Patched

Published
Dec 24, 2024

Affected Software
Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages

Researcher

Lucio Sá

More Details >

Royal Elementor Addons <= 1.7.1001 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56227

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Royal Elementor Addons and Templates

Researcher

Rafie Muhammad

More Details >

SearchIQ <= 4.6 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56229

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
SearchIQ – The Search Solution

Researcher

Abdi Pranata

More Details >

Seraphinite Accelerator <= 2.22.15 (2.21.13 PRO) - Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-54222

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Seraphinite Accelerator (Full, premium)
Seraphinite Accelerator

Researcher

Dave Jong

More Details >

Smart Shopify Product <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56031

Patch Status
Unpatched

Published
Dec 17, 2024

Affected Software
Smart Shopify Product

Researcher

Mika

More Details >

Social Media Share Buttons | MashShare <= 4.0.47 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-22319

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
MashShare – Social Media Share Buttons, Social Share Icons

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Tidy Up <= 1.3 - Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56015

Patch Status
Unpatched

Published
Dec 16, 2024

Affected Software
Tidy Up

Researcher

thiennv

More Details >

Userpro <= 5.1.9 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56211

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
UserPro - Community and User Profile WordPress Plugin

Researcher

Rafie Muhammad

More Details >

VW Automobile Lite <= 2.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56234

Patch Status
Unpatched

Published
Dec 19, 2024

Affected Software
VW Automobile Lite

Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

Widget Options <= 4.0.6.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56219

Patch Status
Patched

Published
Dec 19, 2024

Affected Software
Widget Options – The #1 WordPress Widget & Block Control Plugin

Researcher

Rafie Muhammad

More Details >

WP Job Portal – A Complete Recruitment System for Company or Job Board website <= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-12132

Patch Status
Patched

Published
Jan 2, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

Apostolos Sakellariou

More Details >

WP SecureSubmit <= 1.5.16 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56271

Patch Status
Unpatched

Published
Jan 3, 2025

Affected Software
WP SecureSubmit

Researcher

Mika

More Details >

WP SuperBackup <= 2.3.3 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56070

Patch Status
Patched

Published
Dec 18, 2024

Affected Software
Super Backup & Clone - Migrate for WordPress

Researcher

Dave Jong

More Details >

WPSSO Core <= 18.18.1 - Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2024-56243

Patch Status
Patched

Published
Dec 30, 2024

Affected Software
WPSSO Core – Complete and Optimized Structured Data SEO

Researcher

Jingle Bells

More Details >

WP Ultimate Exporter <= 2.9.1 - Authenticated (Admin+) Remote Code Execution

4.1

CVSS Rating
Medium (4.1)

CVE-ID
CVE-2024-56278

Patch Status
Patched

Published
Jan 3, 2025

Affected Software
Export All Posts, Products, Orders, Refunds & Users

Researcher

Webula

More Details >

Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass

3.7

CVSS Rating
Low (3.7)

CVE-ID
CVE-2024-9654

Patch Status
Patched

Published
Dec 16, 2024

Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Researcher

Arkadiusz Hydzik

More Details >