Wordfence Intelligence Weekly WordPress Vulnerability Report (February 17, 2025 to February 23, 2025)

by

📱 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 172 vulnerabilities disclosed in 157 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 54 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-811 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 96
Unpatched 76

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 125
High Severity 42
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 84
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 21
Cross-Site Request Forgery (CSRF) 18
Missing Authorization 12
Improper Control of Generation of Code (‘Code Injection’) 6
Generation of Error Message Containing Sensitive Information 4
Improper Access Control 3
Improper Input Validation 3
Authorization Bypass Through User-Controlled Key 2
Deserialization of Untrusted Data 2
Exposure of Sensitive Information to an Unauthorized Actor 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Server-Side Request Forgery (SSRF) 2
Unrestricted Upload of File with Dangerous Type 2
URL Redirection to Untrusted Site (‘Open Redirect’) 2
Improper Authorization 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Incorrect Privilege Assignment 1
Insertion of Sensitive Information into Log File 1
Unverified Password Change 1
Use of Cache Containing Sensitive Information 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
27
15
12
12
7
6
6
5
5
5
5
4
4
3
3
3
3
3
2
2
2
2
2
2
2
2
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
1 Click WordPress Migration Plugin – 100% FREE for a limited time 1-click-migration
3D Photo Gallery 3d-photo-gallery
A1POST.BG Shipping for WooCommerce a1post-bg-shipping-for-woocommerce
aBlocks – WordPress Gutenberg Blocks ablocks
Accept Donations with PayPal & Stripe easy-paypal-donation
Actionwear products sync actionwear-products-sync
Active Products Tables for WooCommerce. Use constructor to create tables  profit-products-tables-for-woocommerce
ADFO – Custom data in admin dashboard admin-form
Affiliate Links: WordPress Plugin for Link Cloaking and Link Management affiliate-links
AMO Team Showcase amo-team-showcase
Apptivo Business Site CRM apptivo-business-site
Autoship Cloud for WooCommerce Subscription Products autoship-cloud
Bandsintown Events bandsintown
BigBuy Dropshipping Connector for WooCommerce bigbuy-wc-dropshipping-connector
Booking Package booking-package
C9 Admin Dashboard c9-admin-dashboard
C9 Blocks c9-blocks
CanadaHelps Embedded Donation Form embedded-cdn
Categorized Gallery Plugin categorized-gallery
CATS Job Listings cats-job-listings
Coaching Staffs coaching-staffs
Content Blocks (Custom Post Widget) custom-post-widget
Cookie Notice Bar cookie-notice-bar
Cosmic Blocks (40+) Content Editor Blocks Collection cosmic-blocks
Countdown Timer timer-countdown
Custom Post Type Date Archives custom-post-type-date-archives
DeBounce Email Validator debounce-io-email-validator
Digihood HTML Sitemap wedesin-html-sitemap
Disable Auto Updates disable-auto-updates
Drivr Lite – Google Drive Plugin drivr-google-drive-file-picker
Easy MLS Listings Import easy-mls-listings-import
Easypromos Plugin easypromos
Ecwid by Lightspeed Ecommerce Shopping Cart ecwid-shopping-cart
Education Addon for Elementor education-addon
Elementor Website Builder – More Than Just a Page Builder elementor
ElementsKit Elementor addons elementskit-lite
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files embed-any-document
Events Calendar Made Simple – Pie Calendar pie-calendar
Events Manager – Calendar, Bookings, Tickets, and more! events-manager
Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress everest-forms
File Uploads Addon for WooCommerce woo-addon-uploads
Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later flexible-wishlist
FormCraft formcraft3
GetBookingsWP – Appointments Booking Calendar Plugin For WordPress get-bookings-wp
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) gift-voucher
Gumlet Video gumlet-video
Head, Footer and Post Injections header-footer
igumbi Online Booking igumbi-online-booking
Indeed Ultimate Learning Pro ulp-duplicate-post-sql-timebased
IP2Location Country Blocker ip2location-country-blocker
K Elements k-elements
Keap Official Opt-in Forms infusionsoft-official-opt-in-forms
Legoeso PDF Manager legoeso-pdf-manager
Lenix Leads Collector lenix-elementor-leads-addon
Lexicata lexicata
Library Bookshelves library-bookshelves
Login/Signup Popup ( Inline Form + Woocommerce ) easy-login-woocommerce
LTL Freight Quotes – ABF Freight Edition ltl-freight-quotes-abf-freight-edition
LTL Freight Quotes – GlobalTranz Edition ltl-freight-quotes-globaltranz-edition
LTL Freight Quotes – Old Dominion Edition ltl-freight-quotes-odfl-edition
LTL Freight Quotes – Purolator Edition ltl-freight-quotes-purolator-freight-edition
LTL Freight Quotes – R+L Carriers Edition ltl-freight-quotes-rl-edition
LTL Freight Quotes – SAIA Edition ltl-freight-quotes-saia-edition
LTL Freight Quotes – SEFL Edition ltl-freight-quotes-sefl-edition
LTL Freight Quotes – TForce Edition ltl-freight-quotes-ups-edition
magayo Lottery Results magayo-lottery-results
Mambo Importer mambo-joomla-importer
Maps for WP maps-for-wp
MemorialDay memorialday
Migration, Backup, Staging – WPvivid Backup & Migration wpvivid-backuprestore
Mini Course Generator | Embed mini-courses and interactive content mini-course-generator
Modal Window – create popup modal window modal-window
Mortgage Calculator / Loan Calculator mortgage-loan-calculator
Mortgage Lead Capture System wprequal
Newpost Catch newpost-catch
Online Payments – Get Paid with PayPal, Square & Stripe paypal-payment-button-by-vcita
Open Hours – Easy Opening Hours open-hours
Option Editor option-editor
Pago por Redsys pago-redsys-tpv-grafreak
PeproDev Ultimate Invoice pepro-ultimate-invoice
Pinpoint Booking System – WordPress Booking Plugin booking-system
Pollin pollin
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) buddyforms
Post Grid and Gutenberg Blocks – ComboBlocks post-grid
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more post-smtp
Prime Addons for Elementor prime-addons-for-elementor
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Pure Chat – Live Chat & More! pure-chat
Rapid Cache rapid-cache
Raptive Ads adthrive-ads
ravpage ravpage
Reaction Buttons reaction-buttons
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction pie-register
Reset reset
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor
Responsive Flickr Slideshow mobile-friendly-flickr-slideshow
Rife Elementor Extensions & Templates rife-elementor-extensions
Royal Elementor Addons and Templates royal-elementor-addons
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions s2member
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more scratch-win-giveaways-for-website-facebook
Shopwarden – Automated WooCommerce monitoring & testing shopwarden
Show Me The Cookies show-me-the-cookies
Simple Charts simple-charts
Simple Map No Api simple-map-no-api
Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) simple-pricing-tables-vc-extension
Simple Signup Form simple-signup-form
Simplebooklet PDF Viewer and Embedder simplebooklet
Small Package Quotes – For Customers of FedEx small-package-quotes-fedex-edition
Small Package Quotes – USPS Edition small-package-quotes-usps-edition
Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition
SMTP for Amazon SES – YaySMTP smtp-amazon-ses
SMTP for SendGrid – YaySMTP smtp-sendgrid
SMTP for Sendinblue – YaySMTP smtp-sendinblue
Social Sharing Plugin – Social Warfare social-warfare
SpeedSize Image & Video AI-Optimizer speedsize-ai-image-optimizer
Store Locator Widget store-locator-widget
Subscribe2 – Form, Email Subscribers & Newsletters subscribe2
Super Testimonials super-testimonial
SVG Support svg-support
TCBD Tooltip tcbd-tooltip
Team Builder For WPBakery Page Builder(Formerly Visual Composer) team-builder-for-wpbakery-page-builder
Team Builder – Meet the Team team-display
Threepress threepress
Tour Master – Tour Booking, Travel, Hotel tourmaster
Trash Duplicate and 301 Redirect trash-duplicate-and-301-redirect
Typed JS: A typewriter style animation mrlegend-typedjs
Ultimate Classified Listings ultimate-classified-listings
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included ultraembed-advanced-iframe
UMich OIDC Login umich-oidc-login
Uncode Core uncode-core
Unlimited Elements For Elementor unlimited-elements-for-elementor
User Private Files – File Upload & Download Manager with Secure File Sharing user-private-files
Visualizer: Tables and Charts Manager for WordPress visualizer
Web Stories Enhancer – Level Up Your Web Stories web-stories-enhancer
Widget BUY.BOX buybox-widget
Wonder Video Embed wonderplugin-video-embed
WooCommerce Food – Restaurant Menu & Food ordering woo-exfood
WooODT Lite – Delivery & pickup date time location for WooCommerce byconsole-woo-order-delivery-time
WordPress Portfolio Builder – Portfolio Gallery uber-grid
WP Job Portal – A Complete Recruitment System for Company or Job Board website wp-job-portal
WP Media Category Management wp-media-category-management
WP Wiki Tooltip wp-wiki-tooltip
WP-Appbox wp-appbox
WP-Asambleas wp-asambleas
WP-BibTeX wp-bibtex
WP-FormAssembly formassembly-web-forms
WPExperts Square For GiveWP wpexperts-square-for-give
WPMobile.App wpappninja
WPO365 | MICROSOFT 365 GRAPH MAILER wpo365-msgraphmailer
WPUpper Share Buttons wpupper-share-buttons
Yay! Forms yayforms
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service yaysmtp
YouTube Playlists with Schema jma-youtube-playlists-with-schema
Zigaform – Form Builder Lite zigaform-form-builder-lite
Zigaform – Price Calculator & Cost Estimation Form Builder Lite zigaform-calculator-cost-estimation-form-builder-lite
Ziggeo ziggeo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
CarSpot – Dealership WordPress Classified Theme carspot
MediCenter – Health Medical Clinic WordPress Theme medicenter
PressMart – Modern Elementor WooCommerce WordPress Theme pressmart
Uncode uncode

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

CarSpot – Dealership WordPress Classified Theme <= 2.4.3 – Unauthenticated Arbitrary Password Reset/Account Takeover

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12860
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
CarSpot – Dealership WordPress Classified Theme
Researcher
More Details >

Everest Forms <= 3.0.9.4 – Unauthenticated Arbitrary File Upload, Read, and Deletion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1128
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress
Researcher
More Details >

K Elements <= 5.3.9 – Authentication Bypass

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-56000
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
K Elements
Researcher
More Details >

Keap Official Opt-in Forms <= 2.0.1 – Unauthenticated Limited Local File Inclusion

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13725
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Keap Official Opt-in Forms
Researcher
More Details >

Ravpage <= 2.31 – PHP Object Injection

9.8
CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13789
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
ravpage
Researcher
More Details >

A1POST.BG Shipping for WooCommerce <= 1.5.1 – Cross-Site Request Forgery to Privilege Escalation

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2025-27012
Patch Status
Unpatched
Published
Feb 21, 2025
Affected Software
A1POST.BG Shipping for WooCommerce
Researcher
More Details >

GetBookingsWp – Appointments & Bookings Plugin Basic Version <= 1.1.27 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13677
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
GetBookingsWP – Appointments Booking Calendar Plugin For WordPress
Researcher
More Details >

Option Editor <= 1.0 – Cross-Site Request Forgery to Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13852
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Option Editor
Researcher
More Details >

Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 – Authenticated (Contributor+) Local File Inclusion

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13353
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Researcher
More Details >

Shopwarden – Automated WooCommerce monitoring & testing <= 1.0.11 – Cross-Site Request Forgery to Arbitrary Options Update

8.8
CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13315
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Shopwarden – Automated WooCommerce monitoring & testing
Researcher
More Details >

Affiliate Links: WordPress Plugin for Link Cloaking and Link Management <= 3.0.1 – Missing Authorization to Unauthenticated Import/Export and PHP Object Injection

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13556
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Affiliate Links: WordPress Plugin for Link Cloaking and Link Management
Researcher
More Details >

Reset <= 1.6 – Cross-Site Request Forgery to Database Reset

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13684
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Reset
Researcher
More Details >

Ultimate Classified Listings <= 1.4 – Cross-Site Request Forgery to Account Takeover

8.1
CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13753
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Ultimate Classified Listings
Researcher
More Details >

Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.3 – Unauthenticated SQL Injection via Event Status Parameter

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11260
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Events Manager – Calendar, Bookings, Tickets, and more!
Researcher
More Details >

File Uploads Addon for WooCommerce <= 1.7.1 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13622
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
File Uploads Addon for WooCommerce
Researcher
More Details >

IP2Location Country Blocker <= 2.38.8 – Missing Authorization to Unauthenticated Information Exposure via admin_init Function

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2025-1361
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
IP2Location Country Blocker
Researcher
More Details >

LTL Freight Quotes – ABF Freight Edition <= 3.3.7 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13485
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – ABF Freight Edition
Researcher
More Details >

LTL Freight Quotes – GlobalTranz Edition <= 2.3.11 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13476
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
LTL Freight Quotes – GlobalTranz Edition
Researcher
More Details >

LTL Freight Quotes – Old Dominion Edition <= 4.2.10 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13489
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – Old Dominion Edition
Researcher
More Details >

LTL Freight Quotes – Purolator Edition <= 2.2.3 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13474
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
LTL Freight Quotes – Purolator Edition
Researcher
More Details >

LTL Freight Quotes – R+L Carriers Edition <= 3.3.4 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13481
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – R+L Carriers Edition
Researcher
More Details >

LTL Freight Quotes – SAIA Edition <= 2.2.10 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13483
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – SAIA Edition
Researcher
More Details >

LTL Freight Quotes – SEFL Edition <= 3.2.4 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13479
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – SEFL Edition
Researcher
More Details >

LTL Freight Quotes – TForce Edition <= 3.6.4 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13478
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
LTL Freight Quotes – TForce Edition
Researcher
More Details >

Small Package Quotes – For Customers of FedEx <= 4.3.1 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13491
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Small Package Quotes – For Customers of FedEx
Researcher
More Details >

Small Package Quotes – USPS Edition <= 1.3.5 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13533
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Small Package Quotes – USPS Edition
Researcher
More Details >

Small Package Quotes – Worldwide Express Edition <= 5.2.18 – Unauthenticated SQL Injection

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13534
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Small Package Quotes – Worldwide Express Edition
Researcher
More Details >

Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 – Authenticated (Contributor+) Local File Inclusion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13592
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Team Builder For WPBakery Page Builder(Formerly Visual Composer)
Researcher
More Details >

Trash Duplicate and 301 Redirect <= 1.9 – Missing Authorization to Unauthenticated Arbitrary Post Deletion

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13468
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Trash Duplicate and 301 Redirect
Researcher
More Details >

Uncode <= 2.9.1.6 – Unauthenticated Arbitrary File Read in uncode_admin_get_oembed

7.5
CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13681
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Uncode
Researcher
More Details >

Custom Post Type Date Archives <= 2.7.1 – Missing Authorization to Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-1510
Patch Status
Unpatched
Published
Feb 21, 2025
Affected Software
Custom Post Type Date Archives
Researcher
More Details >

PressMart – Modern Elementor WooCommerce WordPress Theme <= 1.2.16 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13797
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
PressMart – Modern Elementor WooCommerce WordPress Theme
Researcher
More Details >

Show Me The Cookies <= 1.0 – Unauthenticated Arbitrary Shortcode Execution

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2025-1509
Patch Status
Unpatched
Published
Feb 21, 2025
Affected Software
Show Me The Cookies
Researcher
More Details >

WooCommerce Food – Restaurant Menu & Food ordering <= 3.3.2 – Unauthenticated Arbitrary Shortcode Execution via ids

7.3
CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13792
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
WooCommerce Food – Restaurant Menu & Food ordering
Researcher
More Details >

FormCraft – Premium WordPress Form Builder <= 3.9.11 – Unauthenticated Stored Cross-Site Scripting via SVG File Upload

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0817
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
FormCraft
Researcher
More Details >

Lenix Elementor Leads addon <= 1.8.2 – Unauthenticated Stored Cross-Site Scripting via URL Form Field

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-1039
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Lenix Leads Collector
Researcher
More Details >

Mambo Importer <= 1.0 – Authenticated (Administrator+) PHP Object Injection

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13899
Patch Status
Unpatched
Published
Feb 21, 2025
Affected Software
Mambo Importer
Researcher
More Details >

Migration, Backup, Staging – WPvivid <= 0.9.112 – Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13869
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
Migration, Backup, Staging – WPvivid Backup & Migration
Researcher
More Details >

Post SMTP <= 3.0.2 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0521
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Post SMTP – WordPress SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
Researcher
More Details >

Rapid Cache <= 1.2.3 – Unauthenticated Cache Poisoning

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-12314
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Rapid Cache
Researcher
More Details >

SMTP for SendGrid – YaySMTP <= 1.3.1 – Unauthenticated Stored Cross-Site Scripting via Email Logs

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0918
Patch Status
Patched
Published
Feb 22, 2025
Affected Software
SMTP for SendGrid – YaySMTP
Researcher
More Details >

SMTP for Sendinblue – YaySMTP <= 1.1.1 – Unauthenticated Stored Cross-Site Scripting via Email Logs

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0953
Patch Status
Patched
Published
Feb 22, 2025
Affected Software
SMTP for Sendinblue – YaySMTP
Researcher
More Details >

Subscribe2 – Form, Email Subscribers & Newsletters <= 10.43 – Unauthenticated Stored Cross-Site Scripting via IP Parameter

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-11582
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Subscribe2 – Form, Email Subscribers & Newsletters
Researcher
More Details >

Super Testimonials <= 4.0.1 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13704
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Super Testimonials
Researcher
More Details >

Vulnerability: SMTP for Amazon SES <= 1.7.1 – Unauthenticated Stored Cross-Site Scripting via Email Logs

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0957
Patch Status
Patched
Published
Feb 22, 2025
Affected Software
SMTP for Amazon SES – YaySMTP
Researcher
More Details >

WPMobile.App <= 11.56 – Open Redirect via ‘redirect’ Parameter

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13888
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
WPMobile.App
Researcher
More Details >

YaySMTP 2.4.9 – 2.6.2 – Unauthenticated Stored Cross-Site Scripting

7.2
CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0916
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service
Researcher
More Details >

Categorized Gallery Plugin <= 2.0 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13676
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Categorized Gallery Plugin
Researcher
More Details >

Legoeso PDF Manager <= 1.2.2 – Authenticated (Author+) SQL Injection via checkedVals Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0866
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Legoeso PDF Manager
Researchers
More Details >

Pinpoint Booking System – #1 WordPress Booking Plugin <= 2.9.9.5.3 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13235
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
Pinpoint Booking System – #1 WordPress Booking Plugin
Researcher
More Details >

Simple Signup Form <= 1.6.5 – Authenticated (Contributor+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13595
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Simple Signup Form
Researcher
More Details >

Tour Master – Tour Booking, Travel, Hotel <= 5.3.7 – Authenticated (Subscriber+) SQL Injection via review_id Parameter

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13369
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Tour Master – Tour Booking, Travel, Hotel
Researcher
More Details >

Uncode <= 2.9.1.6 – Authenticated (Subscriber+) Arbitrary File Read in uncode_recordMedia

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13691
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Uncode
Researcher
More Details >

WP Media Category Management 2.0 – 2.3.3 – Cross-Site Request Forgery to Settings Update

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0865
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
WP Media Category Management
Researcher
More Details >

WPExperts Square For GiveWP <= 1.3.1 – Authenticated (Subscriber+) SQL Injection

6.5
CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13713
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
WPExperts Square For GiveWP
Researcher
More Details >

3D Photo Gallery <= 1.3 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13751
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
3D Photo Gallery
Researcher
More Details >

aBlocks – WordPress Gutenberg Blocks <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13465
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
aBlocks – WordPress Gutenberg Blocks
Researcher
More Details >

ADFO – Custom data in admin dashboard <= 1.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13390
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
ADFO – Custom data in admin dashboard
Researcher
More Details >

AMO Team Showcase <= 1.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1407
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
AMO Team Showcase
Researcher
More Details >

Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13461
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Autoship Cloud for WooCommerce Subscription Products
Researcher
More Details >

Bandsintown Events <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13802
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Bandsintown Events
Researcher
More Details >

C9 Admin Dashboard <= 1.3.5 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13379
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
C9 Admin Dashboard
Researcher
More Details >

CanadaHelps Embedded Donation <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11778
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
CanadaHelps Embedded Donation Form
Researcher
More Details >

CATS Job Listings <= 2.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13577
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
CATS Job Listings
Researcher
More Details >

Coaching Staffs <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13663
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Coaching Staffs
Researcher
More Details >

Content Blocks (Custom Post Widget) <= 3.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-6432
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Content Blocks (Custom Post Widget)
Researcher
More Details >

Cosmic Blocks (40+) Content Editor Blocks Collection <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13674
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Cosmic Blocks (40+) Content Editor Blocks Collection
Researcher
More Details >

Drivr Lite – Google Drive Plugin plugin for WordPress <= 1.0.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27016
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Drivr Lite – Google Drive Plugin
Researcher
More Details >

Easy MLS Listings Import <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12525
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Easy MLS Listings Import
Researcher
More Details >

Easypromos Plugin <= 1.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13443
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Easypromos Plugin
Researcher
More Details >

Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13445
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Elementor Website Builder – More Than Just a Page Builder
Researcher
More Details >

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.5 – Authenticated (Contributor+) Blind Server-Side Request Forgery via embeddoc Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1043
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files
Researcher
More Details >

Events Calendar Made Simple – Pie Calendar <= 1.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1410
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Events Calendar Made Simple – Pie Calendar
Researcher
More Details >

Frontend Content Forms for User Submissions (UGC) <= 2.8.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘buddyforms_nav’ Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12038
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Researcher
More Details >

Gumlet Video <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13576
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Gumlet Video
Researcher
More Details >

igumbi Online Booking <= 1.40 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13455
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
igumbi Online Booking
Researcher
More Details >

Library Bookshelves <= 5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13464
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Library Bookshelves
Researcher
More Details >

Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1064
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Login/Signup Popup ( Inline Form + Woocommerce )
Researcher
More Details >

Maps for WP <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13648
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Maps for WP
Researcher
More Details >

Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13672
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Mini Course Generator | Embed mini-courses and interactive content
Researcher
More Details >

Modal Window <= 6.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0897
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Modal Window – create popup modal window
Researcher
More Details >

Mortgage Calculator / Loan Calculator <= 1.5.20 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0805
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Mortgage Calculator / Loan Calculator
Researcher
More Details >

Newpost Catch <= 1.3.19 – Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1406
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
Newpost Catch
Researcher
More Details >

Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11895
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Online Payments – Get Paid with PayPal, Square & Stripe
Researcher
More Details >

Open Hours – Easy Opening Hours <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12813
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Open Hours – Easy Opening Hours
Researcher
More Details >

Responsive Flickr Slideshow <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13660
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Responsive Flickr Slideshow
Researcher
More Details >

Rife Elementor Extensions & Templates <= 1.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13564
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
Rife Elementor Extensions & Templates
Researcher
More Details >

Simple Charts <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13581
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Simple Charts
Researcher
More Details >

Simple Map No Api <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13565
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Simple Map No Api
Researcher
More Details >

Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13582
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Simple Pricing Tables For WPBakery Page Builder(Formerly Visual Composer)
Researcher
More Details >

Simplebooklet PDF Viewer and Embedder <= 1.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13588
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Simplebooklet PDF Viewer and Embedder
Researcher
More Details >

Social Sharing Plugin – Social Warfare <= 4.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-26973
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Social Sharing Plugin – Social Warfare
Researcher
More Details >

Store Locator Widget <= 2025r1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13657
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Store Locator Widget
Researcher
More Details >

SVG Support <= 2.5.10 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10222
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
SVG Support
Researcher
More Details >

TCBD Tooltip <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13388
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
TCBD Tooltip
Researcher
More Details >

Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13591
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Team Builder For WPBakery Page Builder(Formerly Visual Composer)
Researcher
More Details >

Threepress <= 1.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13395
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Threepress
Researcher
More Details >

Typed JS: A typewriter style animation <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1328
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Typed JS: A typewriter style animation
Researcher
More Details >

UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11335
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included
Researcher
More Details >

UMich OIDC Login <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11753
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
UMich OIDC Login
Researcher
More Details >

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 – Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13155
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Unlimited Elements For Elementor
Researcher
More Details >

User Private Files – File Upload & Download Manager with Secure File Sharing <= 2.1.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13799
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
User Private Files – File Upload & Download Manager with Secure File Sharing
Researcher
More Details >

Visualizer: Tables and Charts Manager for WordPress <= 3.11.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1065
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Visualizer: Tables and Charts Manager for WordPress
Researcher
More Details >

Web Stories Enhancer – Level Up Your Web Stories <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13575
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Web Stories Enhancer – Level Up Your Web Stories
Researcher
More Details >

Widget BUY.BOX <= 3.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13679
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Widget BUY.BOX
Researcher
More Details >

Wonder Video Embed <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13743
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Wonder Video Embed
Researcher
More Details >

WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1757
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
WordPress Portfolio Builder – Portfolio Gallery
Researcher
More Details >

WP Wiki Tooltip <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13462
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
WP Wiki Tooltip
Researcher
More Details >

WP-Appbox <= 4.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1489
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
WP-Appbox
Researcher
More Details >

WP-Asambleas <= 2.85.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13579
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
WP-Asambleas
Researcher
More Details >

WP-BibTeX <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13578
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
WP-BibTeX
Researcher
More Details >

WP-FormAssembly <= 2.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13501
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
WP-FormAssembly
Researcher
More Details >

Yay! Forms | Embed Custom Forms, Surveys, and Quizzes Easily <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12522
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Yay! Forms
Researcher
More Details >

YouTube Playlists with Schema <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13589
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
YouTube Playlists with Schema
Researcher
More Details >

Zigaform – Form Builder Lite <= 7.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13573
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Zigaform – Form Builder Lite
Researcher
More Details >

Zigaform – Price Calculator & Cost Estimation Form Builder Lite <= 7.4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13587
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Zigaform – Price Calculator & Cost Estimation Form Builder Lite
Researcher
More Details >

Ziggeo <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4
CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12452
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Ziggeo
Researcher
More Details >

Uncode Core <= 2.9.1.6 – Authenticated (Subscriber+) Arbitrary Shortcode Execution in uncode_get_medias

6.3
CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-13689
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Uncode Core
Researcher
More Details >

Accept Donations with PayPal & Stripe <= 1.4.4 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13728
Patch Status
Patched
Published
Feb 22, 2025
Affected Software
Accept Donations with PayPal & Stripe
Researcher
More Details >

Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.6 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-0864
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Active Products Tables for WooCommerce. Use constructor to create tables 
Researcher
More Details >

Booking Package <= 1.6.72 – Reflected Cross-Site Scripting via Locale Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13508
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Booking Package
Researcher
More Details >

Countdown Timer <= 1.0 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13864
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Countdown Timer
Researcher
More Details >

DeBounce Email Validator <= 5.6.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13339
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
DeBounce Email Validator
Researcher
More Details >

Digihood HTML Sitemap <= 3.1.1 – Reflected Cross-Site Scripting via ‘channel’

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12339
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Digihood HTML Sitemap
Researcher
More Details >

Lexicata <= 1.0.16 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12069
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Lexicata
Researcher
More Details >

magayo Lottery Results <= 2.0.12 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13522
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
magayo Lottery Results
Researcher
More Details >

MemorialDay <= 1.0.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13523
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
MemorialDay
Researcher
More Details >

Pago por Redsys <= 1.0.12 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12467
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
Pago por Redsys
Researcher
More Details >

Pollin <= 1.01.1 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13711
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Pollin
Researcher
More Details >

Pure Chat – Live Chat & More! <= 2.31 – Reflected Cross-Site Scripting via purechatWidgetName Parameter

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13736
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Pure Chat – Live Chat & More!
Researcher
More Details >

Raptive Ads <= 3.6.3 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13363
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Raptive Ads
Researcher
More Details >

Royal Elementor Addons and Templates <= 1.7.1007 – Cross-Site Request Forgery to Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-1441
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
Royal Elementor Addons and Templates
Researcher
More Details >

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241216 – Reflected Cross-Site Scripting

6.1
CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-11376
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
Researcher
More Details >

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 – Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php

5.9
CVSS Rating
Medium (5.9)
CVE-ID
CVE-2024-13609
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
1 Click WordPress Migration Plugin – 100% FREE for a limited time
Researcher
More Details >

Cookie Notice Bar <= 1.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13849
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Cookie Notice Bar
Researchers
More Details >

Reaction Buttons <= 2.1.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5
CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13848
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Reaction Buttons
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 – Authenticated (Subscriber+) Limited Server-Side Request Forgery

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13741
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

Uncode <= 2.9.1.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting via mle-description

5.4
CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13667
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Uncode
Researcher
More Details >

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.1 – Cross-Site Request Forgery to Backup Process Cancellation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13555
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
1 Click WordPress Migration Plugin – 100% FREE for a limited time
Researcher
More Details >

Actionwear products sync <= 2.3.2 – Unauthenticated Full Patch Disclosure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13535
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Actionwear products sync
Researcher
More Details >

BigBuy Dropshipping Connector for WooCommerce <= 1.9.19 – Unauthenticated Full Path Disclosute

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13538
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
BigBuy Dropshipping Connector for WooCommerce
Researcher
More Details >

C9 Blocks <= 1.7.7 – Unauthenticated Full Path Disclosure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13537
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
C9 Blocks
Researcher
More Details >

ElementsKit Elementor addons <= 3.4.0 – Unauthenticated Information Exposure via get_megamenu_content Function

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-0968
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
ElementsKit Elementor addons
Researcher
More Details >

Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.6 – Missing Authorization to Unauthenticated Price, Date, and Note Updates

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13520
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported)
Researcher
More Details >

LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 – Missing Authorization to Unauthenticated Settings Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-1483
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
LTL Freight Quotes – GlobalTranz Edition
Researcher
More Details >

MediCenter – Health Medical Clinic WordPress Theme <= 14.6 – Missing Authorization

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-27013
Patch Status
Patched
Published
Feb 18, 2025
Affected Software
MediCenter – Health Medical Clinic WordPress Theme
Researcher
More Details >

PeproDev Ultimate Invoice <= 2.0.8 – Insecure Direct Object Reference to Unauthenticated Order Information Exposure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13719
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
PeproDev Ultimate Invoice
Researcher
More Details >

Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.5 – Unauthenticated Paid Order Creation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13798
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
Post Grid and Gutenberg Blocks – ComboBlocks
Researcher
More Details >

Raptive Ads <= 3.6.3 – Missing Authorization to Unauthenticated Data/Settings Reset

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13364
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Raptive Ads
Researcher
More Details >

Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.3.9 – Sensitive Information Exposure via Log Files

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13818
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction
Researcher
More Details >

Scratch & Win – Giveaways and Contests <= 2.8.0 – Missing Authorization to Unauthenticated Coupon Creation

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13316
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
Researcher
More Details >

Ultimate Member <= 2.9.2 – Authenticated SQL Injection

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12276
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Researcher
More Details >

WooODT Lite – Delivery & pickup date time location for WooCommerce <= 2.5.1 – Unauthenticated Full Path Dsiclosure

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13540
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
WooODT Lite – Delivery & pickup date time location for WooCommerce
Researcher
More Details >

WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 – Missing Authorization to Unauthenticated Portfolio Update

5.3
CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13231
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
WordPress Portfolio Builder – Portfolio Gallery
Researcher
More Details >

Indeed Ultimate Learning Pro <= 3.9 – Authenticated (Administrator+) SQL Injection via post_id Parameter

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13846
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Indeed Ultimate Learning Pro
Researcher
More Details >

Pollin <= 1.01.1 – Authenticated (Admin+) SQL Injection

4.9
CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13712
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Pollin
Researcher
More Details >

WPO365 | MICROSOFT 365 GRAPH MAILER <= 3.2 – Open Redirect via ‘redirect_to’ Parameter

4.7
CVSS Rating
Medium (4.7)
CVE-ID
CVE-2025-1488
Patch Status
Patched
Published
Feb 23, 2025
Affected Software
WPO365 | MICROSOFT 365 GRAPH MAILER
Researcher
More Details >

Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter

4.4
CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-13748
Patch Status
Patched
Published
Feb 19, 2025
Affected Software
Ultimate Classified Listings
Researcher
More Details >

Apptivo Business Site CRM <= 5.3 – Cross-Site Request Forgery to IP Address Block

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13405
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Apptivo Business Site CRM
Researcher
More Details >

Disable Auto Updates <= 1.4 – Cross-Site Request Forgery to Auto-update Disable

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13336
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Disable Auto Updates
Researcher
More Details >

Ecwid by Lightspeed Ecommerce Shopping Cart <= 6.12.27 – Cross-Site Request Forgery to Send Deactivation Message

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13795
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Ecwid by Lightspeed Ecommerce Shopping Cart
Researcher
More Details >

Education Addon for Elementor <= 1.3.1 – Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13854
Patch Status
Unpatched
Published
Feb 18, 2025
Affected Software
Education Addon for Elementor
Researcher
More Details >

Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later <= 1.2.26 – Cross-Site Request Forgery to Wishlist Creation/Modification

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13718
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later
Researcher
More Details >

FormCraft <= 3.9.11 – Missing Authorization to Plugin Data Export in formcraft-main.php

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13783
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
FormCraft
Researcher
More Details >

Mortgage Lead Capture System <= 8.2.10 – Cross-Site Request Forgery to Settings Reset

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-0796
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Mortgage Lead Capture System
Researcher
More Details >

Prime Addons for Elementor <= 2.0.1 – Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13855
Patch Status
Unpatched
Published
Feb 19, 2025
Affected Software
Prime Addons for Elementor
Researcher
More Details >

ProfileGrid – User Profiles, Groups and Communities <= 5.9.4.2 – Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13740
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher
More Details >

SpeedSize Image & Video AI-Optimizer <= 1.5.1 – Cross-Site Request Forgery to Clear Cache

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13438
Patch Status
Patched
Published
Feb 17, 2025
Affected Software
SpeedSize Image & Video AI-Optimizer
Researcher
More Details >

Team Builder – Meet the Team <= 1.3 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13687
Patch Status
Unpatched
Published
Feb 17, 2025
Affected Software
Team Builder – Meet the Team
Researcher
More Details >

WP Job Portal <= 2.2.8 – Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13873
Patch Status
Patched
Published
Feb 21, 2025
Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher
More Details >

WPUpper Share Buttons <= 3.51 – Cross-Site Request Forgery to Custom CSS Update

4.3
CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13883
Patch Status
Unpatched
Published
Feb 20, 2025
Affected Software
WPUpper Share Buttons
Researcher
More Details >

Head, Footer and Post Injections <= 3.3.0 – Authenticated (Administrator+) PHP Code Injection in Multisite Environments

4.1
CVSS Rating
Medium (4.1)
CVE-ID
CVE-2024-13900
Patch Status
Patched
Published
Feb 20, 2025
Affected Software
Head, Footer and Post Injections
Researcher
More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 17, 2025 to February 23, 2025) appeared first on Wordfence.

Leave a Comment