• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 27, 2025 to February 2, 2025)

por | |

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 150 vulnerabilities disclosed in 133 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 57 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-805 – Data redacted while we work with the vendor on a patch.
  • WAF-RULE-806 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 85
Unpatched 65

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 118
High Severity 27
Critical Severity 5

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 64
Missing Authorization 28
Cross-Site Request Forgery (CSRF) 18
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 9
Authorization Bypass Through User-Controlled Key 5
Improper Control of Generation of Code (‘Code Injection’) 4
Exposure of Sensitive Information to an Unauthorized Actor 3
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 3
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Server-Side Request Forgery (SSRF) 3
Exposure of Private Personal Information to an Unauthorized Actor 2
External Control of File Name or Path 2
Improper Authorization 2
Deserialization of Untrusted Data 1
Improper Access Control 1
Improper Privilege Management 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

SOPROBRO

16

Peter Thaleikis

14

Abdi Pranata

8

zaim

7

Lucio Sá

7

Rafie Muhammad

6

Tim Coen

5

thevietronin

5

Nishiv

4

Trương Hữu Phúc (truonghuuphuc)

4

Colin Xu

4

zakaria

4

vgo0

4

theviper17y

3

Hassan Khan Yusufzai – Splint3r7

3

stealthcopter

3

Webbernaut

3

mikemyers

3

Francesco Carlucci

3

Ankit Patel

2

Aiden (Thái An)

2

johska

2

Krzysztof Zając

2

yudha

2

Tieu Pham Trong Nhan

2

Tonn

2

zer0gh0st

2

Arkadiusz Hydzik

1

Whit Taylor

1

shaman0x01

1

Pham Van Tam

1

Bassem Essam

1

João G. Barbosa (4rCanJ0x!)

1

omstaendlig

1

Steven Pereira aka Cursed

1

Muktanand Kale aka Muktimantras

1

0xd4rk5id3

1

Francisco Alisson

1

incognito

1

Nguyễn Trung Kiên

1

rcl25

1

João Pedro Soares de Alcântara

1

thiennv

1

Stiofan

1

Ananda Dhakal

1

István Márton

1

abrahack

1

Fariq Fadillah Gusti Insani (fariqfgi)

1

Max Boll (_b0lli)

1

SavPhill (Savphill)

1

1337_Wannabe

1

Thanh Nam Tran

1

Caesar Evan Santoso

1

Dimas Maulana

1

Le Ngoc Anh

1

Khalid Yusuf

1

Asaf Mozes

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp
AI Infographic Maker infographic-and-list-builder-ilist
Alex Reservations: Smart Restaurant Booking alex-reservations
All Bootstrap Blocks all-bootstrap-blocks
AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations animategl
aThemes Addons for Elementor athemes-addons-for-elementor-lite
Automatically Hierarchic Categories in Menu automatically-hierarchic-categories-in-menu
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg borderless
CF7 Google Sheets Connector cf7-google-sheets-connector
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages clickwhale
Clinked Client Portal clinked-client-portal
Contact Form & SMTP Plugin for WordPress by PirateForms pirate-forms
Contact Form and Calls To Action by vcita lead-capturing-call-to-actions-by-vcita
Content Cloner super-seo-content-cloner
CP Contact Form with PayPal cp-contact-form-with-paypal
Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out login-page-styler
Custom Related Posts custom-related-posts
Designer – Elementor Addons designer
DigiTimber cPanel Integration digitimber-cpanel-integration
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist
Divi Torque Lite addons-for-divi
Document Block – Upload & Embed Docs, PDF, PPT, XLS or Any Documents document
Drag and Drop Multiple File Upload for Contact Form 7 drag-and-drop-multiple-file-upload-contact-form-7
Dynamic URL SEO dynamic-url-seo
ECPay Ecommerce for WooCommerce ecpay-ecommerce-for-woocommerce
eHive Objects Image Grid ehive-objects-image-grid
Elementor Website Builder Pro elementor-pro
ElementsKit Pro elementskit
ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system
Embed Swagger UI embed-swagger-ui
EthereumICO ethereumico
Event Tickets and Registration event-tickets
Eventer – WordPress Event & Booking Manager Plugin eventer
Fare Calculator fare-calculator
FlashCounter flashcounter
Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later flexible-wishlist
Food Menu – Restaurant Menu & Online Ordering for WooCommerce tlp-food-menu
Forge – Front-End Page Builder forge
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
Frictionless frictionless
Full Circle full-circle
Gosign – Posts Slider Block gosign-posts-slider-block
Gwolle Guestbook gwolle-gb
Hesabfa Accounting hesabfa-accounting
Hide Shipping Method For WooCommerce hide-shipping-method-for-woocommerce
HT Event – WordPress Event Manager Plugin for Elementor ht-event
HTML5 chat html5-chat
iControlWP worpit-admin-dashboard-plugin
Import and export users and customers import-users-from-csv-with-meta
Internal Link Builder internal-link-builder
Issuu Panel issuu-panel
Jupiter X Core jupiterx-core
Kona Gallery Block kona-instagram-feed-for-gutenberg
Link Fixer permalink-finder
Live2DWebCanvas live-2d
MagicForm magicform
MailUp Auto Subscription mailup-auto-subscribtion
Media Manager for UserPro userpro-mediamanager
Meta Tag Manager meta-tag-manager
Morkva UA Shipping morkva-ua-shipping
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar mp3-music-player-by-sonaar
MultiLoca – WooCommerce Multi Locations Inventory Management WooCommerce-Multi-Locations-Inventory-Management
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution dc-woocommerce-multi-vendor
Music Sheet Viewer music-sheet-viewer
MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics makewebbetter-hubspot-for-woocommerce
Ni Sales Commission For WooCommerce ni-woo-sales-commission
Ninja Forms – The Contact Form Builder That Grows With You ninja-forms
Nirweb support nirweb-support
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar notificationx
Order Export for WooCommerce order-export-and-more-for-woocommerce
Oshine Modules oshine-modules
OWL Carousel Slider wp-touch-slider
Philantro – Donations and Donor Management philantro
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery gt3-photo-video-gallery
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons contest-gallery
Post Carousel Slider post-carousel-slider
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) buddyforms
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget post-grid-carousel-ultimate
RapidLoad – Optimize Web Vitals Automatically unusedcss
Responsive Blocks – WordPress Gutenberg Blocks responsive-block-editor-addons
Royal Core royal-core
Safe Ai Malware Protection for WP safe-ai-malware-protection-for-wp
Scroll Styler scroll-styler
SeatReg seatreg
Shared Files – Frontend File Upload Form & Secure File Sharing shared-files
Shortcodes and extra features for Phlox theme auxin-elements
Simple:Press Forum simplepress
Single-user-chat single-user-chat
Site Search 360 site-search-360
StageShow stageshow
Starter Templates by FancyWP starter-templates
Stockdio Historical Chart stockdio-historical-chart
Stratum – Elementor Widgets stratum
System Dashboard system-dashboard
Table Editor wp-table-editor
Tags to Keywords tags-to-meta-keywords
Target Video Easy Publish brid-video-easy-publish
Team Rosters team-rosters
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce the-plus-addons-for-elementor-page-builder
ThemeREX Addons trx_addons
Ticketmeo – Sell Tickets – Event Ticketing ploxel
Track Logins track-logins
Traveler Code traveler-code
Traveler Layout Essential For Elementor traveler-layout-essential-for-elementor
Tube Video Ads Lite tube-video-ads-lite
Typer Core typer-core
Unlimited Page Sidebars unlimited-page-sidebars
VR-Frases (collect & share quotes) vr-frases
W2S – Migrate WooCommerce to Shopify w2s-migrate-woo-to-shopify
WE – Testimonial Slider we-testimonial-slider
Wise Forms wise-forms
Wonder FontAwesome wonder-fontawesome
WooCommerce Customers Manager woocommerce-customers-manager
WooCommerce Product Table Lite wc-product-table-lite
WooCommerce Support Ticket System woocommerce-support-ticket-system
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) smart-wishlist-for-more-convert
WordPress Contact Forms by Cimatti contact-forms
WordPress Signature wordpress-signature
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress wp-survey-and-poll
WP BASE Booking of Appointments, Services and Events wp-base-booking-of-appointments-services-and-events
WP DataTable wp-datatable
WP Dispensary wp-dispensary
WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms cf7-dynamics-crm
WP Image Uploader wp-image-uploader
WP Job Board wpjobboard
WP Job Portal – A Complete Recruitment System for Company or Job Board website wp-job-portal
WP Post List Table wp-post-list-table
WP Sessions Time Monitoring Full Automatic activitytime
WP Travel – Ultimate Travel Booking System, Tour Management Engine wp-travel
WPRadio – WordPress Radio Streaming Plugin wpradio
WS Form LITE – Drag & Drop Contact Form Builder for WordPress ws-form
zStore Manager Basic zstore-manager-basic

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Storely storely

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

iControlWP – Multiple WordPress Site Manager <= 4.4.5 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13742
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
iControlWP
Researcher

Krzysztof Zając

More Details >

Media Manager for UserPro <= 3.12.0 – Missing Authorization to Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12822
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Media Manager for UserPro
Researcher

Lucio Sá

More Details >

Morkva UA Shipping <= 1.0.18 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-24685
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Morkva UA Shipping
Researcher

Dimas Maulana

More Details >

MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.14 – Unauthenticated Limited Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-0493
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Researcher

mikemyers

More Details >

ThemeREX Addons <= 2.32.3 – Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13448
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
ThemeREX Addons
Researcher

Tonn

More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.6 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12171
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System
Researcher

Thanh Nam Tran

More Details >

Jupiter X Core <= 4.8.7 – Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-0366
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Jupiter X Core
Researcher

stealthcopter

More Details >

Media Manager for UserPro <= 3.12.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12821
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Media Manager for UserPro
Researcher

Lucio Sá

More Details >

MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics <= 1.5.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10591
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics
Researcher

1337_Wannabe

More Details >

Post Grid, Slider & Carousel Ultimate <= 1.6.10 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-24782
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Researcher

João Pedro Soares de Alcântara

More Details >

Royal Core <= 2.9.2 – Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12129
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Royal Core
Researcher

Tonn

More Details >

WooCommerce Customers Manager <= 31.3 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13343
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WooCommerce Customers Manager
Researcher

Aiden (Thái An)

More Details >

WP Image Uploader <= 1.0.1 – Cross-Site Request Forgery to Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13707
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
WP Image Uploader
Researcher

Colin Xu

More Details >

WP Image Uploader <= 1.0.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-13720
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
WP Image Uploader
Researcher

Colin Xu

More Details >

Live2DWebCanvas <= 1.9.11 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13767
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Live2DWebCanvas
Researcher

Lucio Sá

More Details >

Single-user-chat <= 0.5 – Authenticated (Subscriber+) Limited Options Update

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2024-13646
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Single-user-chat
Researcher

Colin Xu

More Details >

Eventer <= 3.9.8 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-11135
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Eventer – WordPress Event & Booking Manager Plugin
Researcher

István Márton

More Details >

Music Sheet Viewer <= 4.1 – Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13671
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Music Sheet Viewer
Researcher

Peter Thaleikis

More Details >

Safe Ai Malware Protection for WP <= 1.0.17 – Missing Authorization to Unauthenticated Database Export

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-12269
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Safe Ai Malware Protection for WP
Researcher

Tieu Pham Trong Nhan

More Details >

Traveler Code <= 3.1.0 – Unauthenticated Arbitrary SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-22699
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Traveler Code
Researcher

Rafie Muhammad

More Details >

WooCommerce Wishlist <= 1.8.7 – Unauthenticated Wishlist Disclosure via download_pdf_file Function

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13694
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)
Researcher

Tim Coen

More Details >

Contact Form & SMTP Plugin for WordPress by PirateForms <= 2.6.0 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13453
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Contact Form & SMTP Plugin for WordPress by PirateForms
Researcher

mikemyers

More Details >

WooCommerce Product Table Lite <= 3.9.4 – Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13472
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
WooCommerce Product Table Lite
Researcher

mikemyers

More Details >

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.9 – Authenticated (Administrator+) Remote Code Execution

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-11600
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Researchers

Nguyễn Trung Kiên
Trương Hữu Phúc (truonghuuphuc)

More Details >

Flexible Wishlist for WooCommerce <= 1.2.25 – Unauthenticated Stored Cross-Site Scripting via wishlist_name Parameter

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13696
Patch Status
Patched
Published
Jan 28, 2025

Affected Software
Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later
Researcher

Tim Coen

More Details >

Link Fixer <= 3.4 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0809
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Link Fixer
Researcher

omstaendlig

More Details >

Oshine Modules < 3.3.8 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-44055
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Oshine Modules
Researcher

Rafie Muhammad

More Details >

Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.42 – Limited Unauthenticated Stored Cross-Site Scripting via File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13504
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Shared Files – Frontend File Upload Form & Secure File Sharing
Researcher

Tim Coen

More Details >

Traveler Layout Essential For Elementor <= 1.0.8 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-22701
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Traveler Layout Essential For Elementor
Researcher

Rafie Muhammad

More Details >

Wise Forms <= 1.2.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13603
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Wise Forms
Researchers

Steven Pereira aka Cursed
Muktanand Kale aka Muktimantras

More Details >

WP BASE Booking <= 5.0.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-22684
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP BASE Booking of Appointments, Services and Events
Researcher

Abdi Pranata

More Details >

WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.13 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-13509
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
WS Form LITE – Drag & Drop Contact Form Builder for WordPress
Researcher

Tim Coen

More Details >

AI Infographic Maker <= 4.9.0 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12415
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
AI Infographic Maker
Researcher

Arkadiusz Hydzik

More Details >

Contest Gallery <= 25.1.0 – Authenticated (Author+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-22693
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

CP Contact Form with PayPal <= 1.3.52 – Cross-Site Request Forgery

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13758
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
CP Contact Form with PayPal
Researcher

Krzysztof Zając

More Details >

Jupiterx Core <= 4.8.7 – Authenticated (Contributor+) Arbitrary File Read

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0365
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Jupiter X Core
Researcher

stealthcopter

More Details >

MultiLoca – WooCommerce Multi Locations Inventory Management <= 4.1.11 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13341
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
MultiLoca – WooCommerce Multi Locations Inventory Management
Researcher

Aiden (Thái An)

More Details >

Traveler Code <= 3.1.0 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-22700
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Traveler Code
Researcher

Rafie Muhammad

More Details >

W2S – Migrate WooCommerce to Shopify <= 1.2.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12861
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
W2S – Migrate WooCommerce to Shopify
Researcher

Stiofan

More Details >

WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress <= 1.7.5 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13596
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress
Researcher

Peter Thaleikis

More Details >

WP Travel <= 10.1.0 – Authenticated (Author+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-22691
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Alex Reservations: Smart Restaurant Booking <= 2.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13380
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Alex Reservations: Smart Restaurant Booking
Researcher

zakaria

More Details >

All Bootstrap Blocks <= 1.3.26 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13549
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
All Bootstrap Blocks
Researcher

Nishiv

More Details >

aThemes Addons for Elementor <= 1.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13547
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
aThemes Addons for Elementor
Researcher

Nishiv

More Details >

Automatically Hierarchic Categories in Menu <= 2.0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13466
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Automatically Hierarchic Categories in Menu
Researcher

zaim

More Details >

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13612
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss
Researcher

Bassem Essam

More Details >

ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0804
Patch Status
Patched
Published
Jan 28, 2025

Affected Software
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages
Researcher

SOPROBRO

More Details >

Clinked Client Portal <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12524
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Clinked Client Portal
Researcher

Peter Thaleikis

More Details >

Contact Form and Calls To Action by vcita <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11886
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Contact Form and Calls To Action by vcita
Researcher

yudha

More Details >

Designer <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-23987
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Designer – Elementor Addons
Researcher

Khalid Yusuf

More Details >

Divi Torque Lite <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0353
Patch Status
Patched
Published
Jan 28, 2025

Affected Software
Divi Torque Lite
Researcher

Webbernaut

More Details >

eHive Objects Image Grid <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13662
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
eHive Objects Image Grid
Researcher

Peter Thaleikis

More Details >

ElementsKit Pro <= 3.7.8 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via url Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0321
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
ElementsKit Pro
Researcher

Webbernaut

More Details >

Embed Swagger UI <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13700
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
Embed Swagger UI
Researcher

SOPROBRO

More Details >

EthereumICO <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ethereum-ico Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12921
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
EthereumICO
Researcher

zaim

More Details >

Frictionless <= 0.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13396
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Frictionless
Researcher

zakaria

More Details >

Frontend Content Forms for User Submissions (UGC) <= 2.8.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12037
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC)
Researcher

Max Boll (_b0lli)

More Details >

Gosign – Posts Slider Block <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13399
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Gosign – Posts Slider Block
Researcher

Nishiv

More Details >

HTML5 chat <= 1.04 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12451
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
HTML5 chat
Researcher

Peter Thaleikis

More Details >

Kona Gallery Block <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13400
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Kona Gallery Block
Researcher

Nishiv

More Details >

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.9.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Podcast RSS Feed

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13157
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
Researcher

Webbernaut

More Details >

Music Sheet Viewer <= 4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13670
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Music Sheet Viewer
Researcher

Peter Thaleikis

More Details >

Ninja Forms – The Contact Form Builder That Grows With You <= 3.8.24 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13470
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You
Researcher

Peter Thaleikis

More Details >

NotificationX <= 2.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22683
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
Researcher

Peter Thaleikis

More Details >

Philantro – Donations and Donor Management <= 5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via donate Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13527
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Philantro – Donations and Donor Management
Researcher

SOPROBRO

More Details >

Responsive Blocks – WordPress Gutenberg Blocks <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via section_tag Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13732
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Responsive Blocks – WordPress Gutenberg Blocks
Researcher

zaim

More Details >

Responsive Blocks <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22697
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Responsive Blocks – WordPress Gutenberg Blocks
Researcher

João G. Barbosa (4rCanJ0x!)

More Details >

SeatReg <= 1.56.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13463
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
SeatReg
Researcher

zakaria

More Details >

Site Search 360 <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11780
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Site Search 360
Researcher

zaim

More Details >

Stockdio Historical Chart <= 2.8.18 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13349
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Stockdio Historical Chart
Researcher

zaim

More Details >

Storely <= 16.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10847
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Storely
Researcher

stealthcopter

More Details >

Stratum – Elementor Widgets <= 1.4.7 – Authenticated (Contributor+) Stored Cross-Site Scripting Vulnerability via Image Hotspot Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13642
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Stratum – Elementor Widgets
Researcher

zer0gh0st

More Details >

Table Editor <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13661
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Table Editor
Researcher

Peter Thaleikis

More Details >

Target Video Easy Publish <= 3.8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via brid_override_yt Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13561
Patch Status
Patched
Published
Jan 28, 2025

Affected Software
Target Video Easy Publish
Researcher

SOPROBRO

More Details >

The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11829
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce
Researcher

zer0gh0st

More Details >

Ticketmeo – Sell Tickets – Event Ticketing <= 2.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0507
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Ticketmeo – Sell Tickets – Event Ticketing
Researcher

SOPROBRO

More Details >

WE – Testimonial Slider <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13460
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
WE – Testimonial Slider
Researcher

SOPROBRO

More Details >

WP DataTable <= 0.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13566
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
WP DataTable
Researcher

zaim

More Details >

WP Dispensary <= 4.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12444
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
WP Dispensary
Researcher

zaim

More Details >

WP Post List Table <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13664
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
WP Post List Table
Researcher

Peter Thaleikis

More Details >

WPRadio – WordPress Radio Streaming Plugin <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13397
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
WPRadio – WordPress Radio Streaming Plugin
Researcher

zakaria

More Details >

MagicForm – WordPress Form Builder <= 1.6.2 – Missing Authorization

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-0939
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
MagicForm
Researcher

Lucio Sá

More Details >

Ai Image Alt Text Generator for WP <= 1.0.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12177
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Ai Image Alt Text Generator for WP
Researcher

vgo0

More Details >

DigiTimber cPanel Integration <= 1.4.6 – Cross-Site Request Forgery to Stored Cross-site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22690
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
DigiTimber cPanel Integration
Researcher

Abdi Pranata

More Details >

Fare Calculator <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23982
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Fare Calculator
Researcher

SOPROBRO

More Details >

FlashCounter <= 1.1.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23978
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
FlashCounter
Researcher

SOPROBRO

More Details >

Forge – Front-End Page Builder <= 1.4.6 – Cross-Site Request Forgery to Stored Cross-site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22703
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Forge – Front-End Page Builder
Researcher

Abdi Pranata

More Details >

Forminator <= 1.38.2 – Reflected Cross-Site Scripting via Title Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-0470
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Asaf Mozes

More Details >

Full Circle <= 0.5.7.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23980
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Full Circle
Researcher

SOPROBRO

More Details >

Gwolle Guestbook <= 4.7.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24710
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Gwolle Guestbook
Researcher

Peter Thaleikis

More Details >

Hesabfa Accounting <= 2.1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22682
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Hesabfa Accounting
Researcher

0xd4rk5id3

More Details >

Internal Link Builder <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23989
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Internal Link Builder
Researcher

SOPROBRO

More Details >

Issuu Panel <= 2.1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23976
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Issuu Panel
Researcher

SOPROBRO

More Details >

MailUp Auto Subscription <= 1.1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13521
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
MailUp Auto Subscription
Researcher

SOPROBRO

More Details >

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.24 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24707
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery
Researcher

Peter Thaleikis

More Details >

Post Carousel Slider <= 2.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23977
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Post Carousel Slider
Researcher

SOPROBRO

More Details >

Scroll Styler <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23990
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Scroll Styler
Researcher

SOPROBRO

More Details >

Simple:Press Forum <= 6.10.11 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12409
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Simple:Press Forum
Researcher

vgo0

More Details >

StageShow <= 9.8.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13705
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
StageShow
Researcher

Peter Thaleikis

More Details >

System Dashboard <= 2.8.15 – Reflected Cross-Site Scripting via Filename Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12299
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
System Dashboard
Researcher

vgo0

More Details >

Tags to Keywords <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22685
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Tags to Keywords
Researcher

Abdi Pranata

More Details >

Team Rosters <= 4.7 – Reflected Cross-Site Scripting via ‘tab’

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12320
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Team Rosters
Researcher

vgo0

More Details >

Tube Video Ads Lite <= 1.5.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13625
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Tube Video Ads Lite
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Unlimited Page Sidebars <= 0.2.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22688
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Unlimited Page Sidebars
Researcher

Abdi Pranata

More Details >

VR Frases <= 3.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13626
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
VR-Frases (collect & share quotes)
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

VR-Frases (collect & share quotes) <= 3.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-0860
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
VR-Frases (collect & share quotes)
Researcher

johska

More Details >

Wonder FontAwesome <= 0.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13512
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Wonder FontAwesome
Researcher

SOPROBRO

More Details >

WordPress Signature <= 0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22704
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
WordPress Signature
Researcher

Abdi Pranata

More Details >

WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24708
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
WP Dynamics CRM for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms
Researcher

Abdi Pranata

More Details >

WP Image Uploader <= 1.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13706
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
WP Image Uploader
Researcher

Colin Xu

More Details >

WP Sessions Time Monitoring Full Automatic <= 1.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24718
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Sessions Time Monitoring Full Automatic
Researcher

Le Ngoc Anh

More Details >

WP Touch Slider <= 2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13627
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
OWL Carousel Slider
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

WPJobBoard <= 5.10.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24781
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
WP Job Board
Researcher

Ananda Dhakal

More Details >

Order Export for WooCommerce <= 3.24 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

5.9

CVSS Rating
Medium (5.9)
CVE-ID
CVE-2024-13623
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Order Export for WooCommerce
Researcher

Tim Coen

More Details >

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.9 – Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-10867
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Researcher

Francesco Carlucci

More Details >

Custom Related Posts <= 1.7.3 – Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-12825
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Custom Related Posts
Researcher

Lucio Sá

More Details >

WooCommerce Support Ticket System <= 17.8 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion and Information Exposure

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13775
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WooCommerce Support Ticket System
Researcher

Lucio Sá

More Details >

AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations <= 1.4.23 – Missing Authorization to Unauthenticated Settings Update

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12620
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations
Researcher

Lucio Sá

More Details >

CF7 Google Sheets Connector <= 5.0.17 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-22686
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
CF7 Google Sheets Connector
Researcher

theviper17y

More Details >

Content Cloner <= 1.0.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-22681
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Content Cloner
Researcher

Pham Van Tam

More Details >

Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings <= 8.0.12 – Unauthenticated User Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12041
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
Researcher

shaman0x01

More Details >

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.8.5 – Limited Arbitrary File Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12267
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Drag and Drop Multiple File Upload for Contact Form 7
Researcher

theviper17y

More Details >

Event Tickets <= 5.18.1 – Insecure Direct Object Reference to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13457
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Event Tickets and Registration
Researcher

Whit Taylor

More Details >

Import and export users and customers <= 1.27.12 – Unauthenticated Sensitive Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24689
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Import and export users and customers
Researcher

Caesar Evan Santoso

More Details >

Starter Templates by FancyWP <= 2.0.0 – Unauthenticated Blind Server-Side Request Forgery

5.3

CVSS Rating
Medium (5.3)
CVE-ID
Unknown
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Starter Templates by FancyWP
Researcher

Francesco Carlucci

More Details >

WordPress Contact Forms by Cimatti <= 1.9.4 – Missing Authorization to Unauthenticated Form Submission Download

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12184
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WordPress Contact Forms by Cimatti
Researcher

rcl25

More Details >

WP Job Portal <= 2.2.6 – Insecure Direct Object Reference to Unauthenticated Arbitrary Resume Download

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13372
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher

thevietronin

More Details >

WP Job Portal <= 2.2.6 – Insecure Direct Object Reference to Unauthenticated Company Logo Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13428
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher

thevietronin

More Details >

WP Job Portal <= 2.2.6 – Missing Authorization to Unauthenticated Arbitrary Email Sending

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13371
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher

thevietronin

More Details >

Track Logins <= 1.0 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2024-13608
Patch Status
Unpatched
Published
Jan 27, 2025

Affected Software
Track Logins
Researcher

Francisco Alisson

More Details >

VR-Frases (collect & share quotes) <= 3.0.1 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-0861
Patch Status
Unpatched
Published
Jan 29, 2025

Affected Software
VR-Frases (collect & share quotes)
Researcher

johska

More Details >

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.9 – Missing Authorization to Icon Font Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11583
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Contact Form and Calls To Action by vcita <= 2.7.1 – Missing Authorization to Authenticated (Subscriber+) Contact/Widget Toggle

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13717
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Contact Form and Calls To Action by vcita
Researcher

yudha

More Details >

Custom Login Page Styler <= 7.1.1 – Missing Authorization to Authenticated (Subsciber+) Log Deletion and Session Termination

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13530
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out
Researcher

theviper17y

More Details >

Document Block – Upload & Embed Docs <= 1.1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22696
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Document Block – Upload & Embed Docs, PDF, PPT, XLS or Any Documents
Researcher

SavPhill (Savphill)

More Details >

Dynamic URL SEO <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-23985
Patch Status
Patched
Published
Jan 27, 2025

Affected Software
Dynamic URL SEO
Researcher

thiennv

More Details >

ECPay Ecommerce for WooCommerce <= 1.1.2411060 – Missing Authorization to Authenticated (Subscriber+) Log Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13652
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
ECPay Ecommerce for WooCommerce
Researcher

incognito

More Details >

Elementor Website Builder Pro – More than Just a Page Builder <= 3.25.10 – Authenticated (Contributor+) Sensitive Information Exposure via Shortcode

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-8494
Patch Status
Patched
Published
Jan 29, 2025

Affected Software
Elementor Website Builder Pro
Researcher

Ankit Patel

More Details >

Food Menu – Restaurant Menu & Online Ordering for WooCommerce <= 5.1.4 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13415
Patch Status
Patched
Published
Jan 30, 2025

Affected Software
Food Menu – Restaurant Menu & Online Ordering for WooCommerce
Researcher

abrahack

More Details >

Hide Shipping Method For WooCommerce <= 1.5.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22694
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Hide Shipping Method For WooCommerce
Researcher

Abdi Pranata

More Details >

HT Event – WordPress Event Manager Plugin for Elementor <= 1.4.7 – Authenticated (Contributor+) Sensitive Information Exposure via HT Event: Sponsor

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13216
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
HT Event – WordPress Event Manager Plugin for Elementor
Researcher

Ankit Patel

More Details >

Meta Tag Manager <= 3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22260
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Meta Tag Manager
Researcher

Rafie Muhammad

More Details >

Ni Sales Commission For WooCommerce <= 1.2.4 – Missing Authorization to Authenticated (Subscriber+) Commission Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13424
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Ni Sales Commission For WooCommerce
Researcher

SOPROBRO

More Details >

Nirweb support <= 3.0.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22695
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Nirweb support
Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

RapidLoad – Optimize Web Vitals Automatically <= 2.4.4 – Missing Authorization to Authenticated (Subscriber+) Limited Setting Reset

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13651
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
RapidLoad – Optimize Web Vitals Automatically
Researcher

Tieu Pham Trong Nhan

More Details >

Shortcodes and extra features for Phlox theme <= 2.17.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-50500
Patch Status
Unpatched
Published
Jan 31, 2025

Affected Software
Shortcodes and extra features for Phlox theme
Researcher

Rafie Muhammad

More Details >

Typer Core <= 1.9.6 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12102
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
Typer Core
Researcher

Francesco Carlucci

More Details >

WP Job Portal <= 2.2.6 – Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Company Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13425
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher

thevietronin

More Details >

WP Job Portal <= 2.2.6 – Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13429
Patch Status
Patched
Published
Jan 31, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website
Researcher

thevietronin

More Details >

zStore Manager Basic <= 3.311 – Missing Authorization to Authenticated (Subscriber+) Cache Clearing

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13715
Patch Status
Unpatched
Published
Jan 30, 2025

Affected Software
zStore Manager Basic
Researcher

Peter Thaleikis

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 27, 2025 to February 2, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.