• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 20, 2025 to January 26, 2025)

por | |

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 212 vulnerabilities disclosed in 182 WordPress Plugins and 9 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 77 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-804 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 186
Unpatched 26

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 4
Medium Severity 179
High Severity 23
Critical Severity 6

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 82
Missing Authorization 43
Cross-Site Request Forgery (CSRF) 31
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 15
Server-Side Request Forgery (SSRF) 7
Deserialization of Untrusted Data 6
Exposure of Sensitive Information to an Unauthorized Actor 5
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 5
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 4
Unrestricted Upload of File with Dangerous Type 3
Improper Control of Generation of Code (‘Code Injection’) 2
URL Redirection to Untrusted Site (‘Open Redirect’) 2
Authentication Bypass Using an Alternate Path or Channel 1
Doubled Character XSS Manipulations 1
Exposure of Sensitive Information Through Metadata 1
Generation of Error Message Containing Sensitive Information 1
Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) 1
Improper Privilege Management 1
Incorrect Privilege Assignment 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Peter Thaleikis

20

Kévin Mosbahi (Mika)

17

SOPROBRO

14

Rafie Muhammad

8

Khang Duong

8

Ananda Dhakal

6

yudha

6

abrahack

6

João Pedro Soares de Alcântara

5

zakaria

5

SavPhill (Savphill)

4

Trương Hữu Phúc (truonghuuphuc)

4

Francesco Carlucci

4

stealthcopter

4

Marek Mikita

4

Le Ngoc Anh

3

zaim

3

vgo0

3

István Márton

3

mikemyers

3

Webbernaut

3

Colin Xu

3

Dhabaleshwar Das

3

0xd4rk5id3

2

luc

2

zer0gh0st

2

Caesar Evan Santoso

2

Tieu Pham Trong Nhan

2

Abdi Pranata

2

Webula

2

Tran Anh Duc

2

Tim Coen

2

I8BL

2

BrokenAC ignore

2

Pham Van Tam

2

ardias

2

b4orvn

2

Aiden (Thái An)

2

Stiofan

2

Nirmal Kavaiya

2

Ankit Patel

2

theviper17y

2

1337_Wannabe

1

AHMAD SOPYAN

1

Roby Firnando Yusuf

1

Vincent Fourcade (vinceMatsui)

1

Hiroho Shimada

1

Lucio Sá

1

Logan Cote

1

Fariq Fadillah Gusti Insani (fariqfgi)

1

Tonn

1

Michael

1

Joshua Chan

1

LVT-tholv2k

1

Chloe Chamberland

1

shaman0x01

1

lucky_buddy

1

Noah Stead (TurtleBurg)

1

Damanpreet Singh

1

Arkadiusz Hydzik

1

Malvin Valerian Gultom

1

David Ojeda Guijarro

1

Prissy

1

Nishiv

1

Brian Mungai

1

Aril Aprilio (forsak3n)

1

Jack Taylor

1

Krzysztof Zając

1

shinobu

1

UKO

1

wesley (wcraft)

1

Tran Nguyen Bao Khanh

1

Vo Hoang Phuc

1

Khalid Yusuf

1

incognito

1

Nguyen Khanh Hao

1

Joel Indra

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
1003 Mortgage Application 1003-mortgage-application
12 Step Meeting List 12-step-meeting-list
ABC Notation abc-notation
Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded
aDirectory – WordPress Directory Listing Plugin adirectory
Admin and Site Enhancements (ASE) admin-site-enhancements
Admin and Site Enhancements (ASE) Pro admin-site-enhancements-pro
Advanced Notifications advanced-notifications
affiliate-toolkit – WP Affiliate Plugin with Amazon affiliate-toolkit-starter
AI Chatbot for WordPress – Hyve Lite hyve-lite
AI Power: Complete AI Pack gpt3-ai-content-generator
All Embed – Elementor Addons all-embed-addons-for-elementor
AnyRoad anyguide
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress bookingpress-appointment-booking
Ask Me Anything (Anonymously) ask-me-anything-anonymously
Auction Nudge – Your eBay on Your Site auction-nudge
Automate Hub Free by Sperse.IO automate-hub-free-by-sperse-io
Avada (Fusion) Builder fusion-builder
Bilingual Linker bilingual-linker
Blur Text blur-text
BMLT Meeting Map bmlt-meeting-map
Booking Calendar Contact Form booking-calendar-contact-form
Boom Fest boom-fest
Bridge Core bridge-core
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP videowhisper-live-streaming-integration
Broadstreet broadstreet
brodos.net Onlineshop Plugin brodos-net-onlineshop
Bubble Menu – Sticky Navigation with Floating Button Menu Solution bubble-menu
Bug Library bug-library
Build Private Store For Woocommerce build-private-store-for-woocommerce
Button Generator – easily Button Builder button-generation
Caching Compatible Cookie Opt-In and JavaScript caching-compatible-cookie-optin-and-javascript
Call Now Button – The #1 Click to Call Button for WordPress call-now-button
Chained Quiz chained-quiz
Cliptakes cliptakes
Comment Edit Core – Simple Comment Editing simple-comment-editing
Connections Business Directory connections
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks ht-contactform
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder bit-form
Contact Form Email contact-form-to-email
Countdown Timer – Widget Countdown widget-countdown
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site counter-box
Create with Code create-with-code
Custom Product Tabs Lite for WooCommerce woocommerce-custom-product-tabs-lite
Divi Carousel Maker wow-carousel-for-divi-lite
Easy Real Estate easy-real-estate
Easy YouTube Gallery easy-youtube-gallery
ElementInvader Addons for Elementor elementinvader-addons-for-elementor
Email Subscription Popup email-subscribe
Essential Real Estate essential-real-estate
Estatebud – Properties & Listings estatebud-properties-listings
Etsy Importer etsy-importer
Event post event-post
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) google-analytics-dashboard-for-wp
Export All Posts, Products, Orders, Refunds & Users wp-ultimate-exporter
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) extensions-for-cf7
FAQ Builder AYS faq-builder-ays
FireCask Like & Share Button facebook-like-send-button
Flexmls® IDX Plugin flexmls-idx
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider fluent-smtp
Form Builder CP cp-easy-form-builder
FundPress – WordPress Donation Plugin fundpress
FV Thoughtful Comments thoughtful-comments
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress gamipress
GDPR CCPA Compliance & Cookie Consent Banner ninja-gdpr-compliance
GoHero Store Customizer for WooCommerce personalize-woocommerce-cart-page
Gutenberg Blocks and Page Layouts – Attire Blocks attire-blocks
Gutenberg Blocks with AI by Kadence WP – Page Builder Features kadence-blocks
HelloAsso helloasso
Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA icegram
Import WP – Export and Import CSV and XML files to WordPress jc-importer
Internal Links Manager seo-automated-link-building
IP2Location Country Blocker ip2location-country-blocker
JetElements jet-elements
JSM Show Post Metadata jsm-show-post-meta
KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin kb-support
Ketchup Shortcodes ketchup-shortcodes-pack
LearnDash LMS sfwd-lms
LearnPress – WordPress LMS Plugin learnpress
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm v-form
Linear linear
Link Library link-library
Listamester listamester
Magic the Gathering Card Tooltips magic-the-gathering-card-tooltips
Masy Gallery masy-gallery
MDTF – Meta Data and Taxonomies Filter wp-meta-data-filter-and-taxonomy-filter
Membership Plugin – Restrict Content restrict-content
Multiple Page Generator Plugin – MPG multiple-pages-generator-by-porthas
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution dc-woocommerce-multi-vendor
Nested Pages wp-nested-pages
NOTICE BOARD BY TOWKIR notice-board-by-towkir
Orbisius Simple Notice orbisius-simple-notice
Page Builder Gutenberg Blocks – CoBlocks coblocks
Page Builder: Pagelayer – Drag and Drop website builder pagelayer
Patreon WordPress patreon-connect
Paytium: Mollie payment forms & donations paytium
PDF Invoices for WooCommerce + Drag and Drop Template Builder pdf-for-woocommerce
People Lists people-lists
Picture Gallery – Frontend Image Uploads, AJAX Photo List picture-gallery
Plethora Plugins Tabs + Accordions plethora-tabs-accordions
Popup Box: Create Popups Easily popup-box
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder popup-maker
Post Duplicator post-duplicator
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder ajax-filter-posts
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget post-grid-carousel-ultimate
Power Ups for Elementor power-ups-for-elementor
PPO Call To Actions ppo-call-to-actions
PPOM – Product Addons & Custom Fields for WooCommerce woocommerce-product-addon
Precious Metals Charts and Widgets for WordPress precious-metals-chart-and-widgets
Premium Packages – Sell Digital Products Securely wpdm-premium-packages
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) bdthemes-prime-slider-lite
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce a4-barcode-generator
Product Carousel Slider & Grid Ultimate for WooCommerce woo-product-carousel-slider-and-grid-ultimate
Product Size Charts Plugin for WooCommerce woo-advanced-product-size-chart
Product Table by WBW woo-product-tables
Quiz Maker Agency quiz-maker
Quiz Maker Business quiz-maker
Quiz Maker Developer quiz-maker
Radius Blocks – WordPress Gutenberg Blocks radius-blocks
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) really-simple-ssl
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor
Restrict Anonymous Access restrict-anonymous-access
ReviewsTap reviewstap
Roi Calculator roi-calculator
RomethemeKit For Elementor rometheme-for-elementor
RSVP and Event Management rsvp
RSVPMaker rsvpmaker
Sensly Online Presence sensly-online-presence
SEO Blogger to WordPress Migration using 301 Redirection seo-blogger-to-wordpress-301-redirector
SERPed.net serped-net
ShMapper by Teplitsa shmapper-by-teplitsa
Show/Hide Shortcode showhide-shortcode
Side Menu Lite – add sticky fixed buttons side-menu-lite
Simple Download Monitor simple-download-monitor
Simple Downloads List simple-downloads-list
Simple Gallery with Filter simple-gallery-with-filter
Social Proof Popups & Real-Time Notifications – Herd Effects mwp-herd-effect
Social Share, Social Login and Social Comments Plugin – Super Socializer super-socializer
Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates sastra-essential-addons-for-elementor
Stackable – Page Builder Gutenberg Blocks stackable-ultimate-gutenberg-blocks
Starter Templates — Elementor, WordPress & Beaver Builder Templates astra-sites
Sticky Buttons – floating buttons builder sticky-buttons
String locator string-locator
Subscription DNA® subscriptiondna
Super block slider – Responsive image & content slider super-block-slider
Survey Maker survey-maker
Tainacan tainacan
Tamara Checkout tamara-checkout
Target Video Easy Publish brid-video-easy-publish
Taxonomy/Term and Role based Discounts for WooCommerce taxonomy-discounts-woocommerce
The Events Calendar the-events-calendar
ThemeREX Addons trx_addons
Themify Builder themify-builder
Thim Elementor Kit thim-elementor-kit
Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking tourfic
Ultimate Coming Soon & Maintenance ultimate-coming-soon
Variation Swatches for WooCommerce th-variation-swatches
VikBooking Hotel Booking Engine & PMS vikbooking
Visual Website Collaboration, Feedback & Project Management – Atarim atarim-visual-collaboration
WC Affiliate – A Complete WooCommerce Affiliate Plugin wc-affiliate
Wishlist for WooCommerce wt-woocommerce-wishlist
WooCommerce Cloak Affiliate Links woocommerce-cloak-affiliate-links
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels print-invoices-packing-slip-labels-for-woocommerce
WooCommerce Product Table Lite wc-product-table-lite
WooCommerce Quick View woo-quick-view
WordPress SEO Friendly Accordion FAQ with AI assisted content generation notice-faq
WP Contact Form7 Email Spam Blocker wp-contact-form7-email-spam-blocker
WP Duplicate – WordPress Migration Plugin local-sync
WP Go Maps (formerly WP Google Maps) wp-google-maps
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO wp-google-street-view
WP Hotel Booking wp-hotel-booking
WP Panoramio wp-panoramio
WP Visitor Statistics (Real Time Traffic) wp-stats-manager
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress wpvr
WP-BibTeX wp-bibtex
wp-greet wp-greet
WP-Polls wp-polls
WPBookit wpbookit
WPBot Pro WordPress Chatbot wpbot-pro
Xagio SEO xagio-seo
XML for Google Merchant Center xml-for-google-merchant-center
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress youzify

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
AdForest adforest
Avada | Website Builder For WordPress & WooCommerce Avada
Betheme betheme
Bootstrap Ultimate bootstrap-ultimate
Houzez houzez
jobify jobify
RealHomes realhomes
uDesign | Multipurpose WordPress Theme udesign
Zox News zox-news

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AdForest <= 5.1.8 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-12857
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
AdForest
Researcher

Chloe Chamberland

More Details >

Bootstrap Ultimate <= 1.4.9 – Unauthenticated Limited Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13545
Patch Status
Unpatched
Published
Jan 23, 2025

Affected Software
Bootstrap Ultimate
Researcher

Aril Aprilio (forsak3n)

More Details >

Easy Real Estate <= 2.2.6 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-32555
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
Easy Real Estate
Researcher

luc

More Details >

RealHomes <= 4.3.6 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-32444
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
RealHomes
Researcher

luc

More Details >

WPBookit <= 1.6.9 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-0357
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WPBookit
Researcher

István Márton

More Details >

WPBot Pro WordPress Chatbot <= 13.5.4 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2024-13091
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
WPBot Pro WordPress Chatbot
Researcher

István Márton

More Details >

Post Grid Master <= 3.4.12 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-24733
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder
Researcher

João Pedro Soares de Alcântara

More Details >

String Locator <= 2.6.6 – Unauthenticated PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-10936
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
String locator
Researcher

Webbernaut

More Details >

ThemeREX Addons <= 2.33.0 – Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-0682
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ThemeREX Addons
Researcher

István Márton

More Details >

VikBooking Hotel Booking Engine & PMS <= 1.7.2 – Cross-Site Request Forgery to Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11641
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
VikBooking Hotel Booking Engine & PMS
Researcher

Noah Stead (TurtleBurg)

More Details >

Zox News <= 3.16.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-11936
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Zox News
Researcher

Tonn

More Details >

FundPress <= 2.0.6 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-24601
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
FundPress – WordPress Donation Plugin
Researcher

Le Ngoc Anh

More Details >

aDirectory – WordPress Directory Listing Plugin <= 1.6.5 – Unauthenticated PHP Object Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
Unknown
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
aDirectory – WordPress Directory Listing Plugin
Researcher(s): Unknown

More Details >

BMLT Meeting Map <= 2.6.0 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13593
Patch Status
Unpatched
Published
Jan 22, 2025

Affected Software
BMLT Meeting Map
Researcher

Peter Thaleikis

More Details >

GamiPress <= 7.2.1 – Unauthenticated SQL Injection via orderby Parameter

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13496
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Researcher

abrahack

More Details >

Import WP – Export and Import CSV and XML files to WordPress <= 2.14.5 – Unauthenticated Sensitive Information Exposure Through Unprotected Directory

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13562
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Import WP – Export and Import CSV and XML files to WordPress
Researcher

Tim Coen

More Details >

Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13408
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Researcher

zaim

More Details >

Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 – Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13409
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget
Researcher

Hiroho Shimada

More Details >

Product Table by WBW <= 2.1.2 – Unuthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13234
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Product Table by WBW
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) – Unauthenticated SQL Injection via id

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-10628
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Quiz Maker Developer
Quiz Maker Agency
Quiz Maker Business
Researcher

abrahack

More Details >

GamiPress <= 7.2.1 – Unauthenticated Arbitrary Shortcode Execution via gamipress_ajax_get_logs Function

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13495
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Researcher

mikemyers

More Details >

GamiPress <= 7.2.1 – Unauthenticated Arbitrary Shortcode Execution via gamipress_do_shortcode() Function

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13499
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Researcher

abrahack

More Details >

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) – Unauthenticated Arbitrary Shortcode Execution via content

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-10633
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Quiz Maker Developer
Quiz Maker Agency
Quiz Maker Business
Researcher

abrahack

More Details >

AI Power: Complete AI Pack <= 1.8.96 – Authenticated (Admin+) PHP Object Injection via wpaicg_export_ai_forms

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0429
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
AI Power: Complete AI Pack
Researcher

Tran Anh Duc

More Details >

AI Power: Complete AI Pack <= 1.8.96 – Authenticated (Admin+) PHP Object Injection via wpaicg_export_prompts

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-0428
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
AI Power: Complete AI Pack
Researcher

Tran Anh Duc

More Details >

Atarim <= 4.0.8 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-24570
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Visual Website Collaboration, Feedback & Project Management – Atarim
Researcher

Kévin Mosbahi (Mika)

More Details >

Custom Product Tabs Lite for WooCommerce <= 1.9.0 – Authenticated (Shop Manager+) PHP Object Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-12600
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Custom Product Tabs Lite for WooCommerce
Researcher

Francesco Carlucci

More Details >

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) – Missing Authorization to Google Sheets Integration Credentials Modification and Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-10574
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Quiz Maker Developer
Quiz Maker Agency
Quiz Maker Business
Researcher

abrahack

More Details >

Tourfic <= 2.15.3 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-24650
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking
Researcher

I8BL

More Details >

ABC Notation <= 6.1.3 – Authenticated (Contributor+) Arbitrary File Read

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13550
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
ABC Notation
Researcher

yudha

More Details >

Bug Library <= 2.1.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-24728
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Bug Library
Researcher

stealthcopter

More Details >

Connections Business Directory <= 10.4.66 – Authenticated (Admin+) Arbitrary Directory Deletion

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-12885
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Connections Business Directory
Researcher

Vincent Fourcade (vinceMatsui)

More Details >

Form Builder CP <= 1.2.41 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-24672
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Form Builder CP
Researcher

João Pedro Soares de Alcântara

More Details >

Form Builder CP <= 1.2.41 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13680
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Form Builder CP
Researcher

Peter Thaleikis

More Details >

Jobify – Job Board WordPress Theme <= 4.2.7 – Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13698
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
jobify
Researcher

Lucio Sá

More Details >

SERPed.net <= 4.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-24669
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
SERPed.net
Researcher

João Pedro Soares de Alcântara

More Details >

Simple Downloads List <= 1.4.2 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13594
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Simple Downloads List
Researcher

Peter Thaleikis

More Details >

Tainacan <= 0.21.12 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13236
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Tainacan
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.3 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update (save_addon_key_license)

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13370
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Researcher

Stiofan

More Details >

ABC Notation <= 6.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13551
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
ABC Notation
Researcher

yudha

More Details >

affiliate-toolkit – WP Affiliate Plugin with Amazon <= 3.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
Unknown
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
affiliate-toolkit – WP Affiliate Plugin with Amazon
Researcher

Peter Thaleikis

More Details >

All Embed – Elementor Addons <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24595
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
All Embed – Elementor Addons
Researcher

Khalid Yusuf

More Details >

Ask Me Anything (Anonymously) <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12512
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Ask Me Anything (Anonymously)
Researcher

SOPROBRO

More Details >

Avada Builder <= 3.11.11 – Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12477
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Avada (Fusion) Builder
Researcher

Webbernaut

More Details >

Betheme <= 27.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0450
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
Betheme
Researcher

stealthcopter

More Details >

Bilingual Linker <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13441
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Bilingual Linker
Researcher

SOPROBRO

More Details >

Blur Text <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24627
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Blur Text
Researcher

0xd4rk5id3

More Details >

BMLT Meeting Map <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12494
Patch Status
Unpatched
Published
Jan 23, 2025

Affected Software
BMLT Meeting Map
Researcher

yudha

More Details >

BookingPress <= 1.1.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24732
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress
Researcher

zaim

More Details >

Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP <= 6.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12504
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP
Researcher

yudha

More Details >

Broadstreet <= 1.51.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via zone Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11825
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Broadstreet
Researcher

Peter Thaleikis

More Details >

brodos.net Onlineshop Plugin <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12529
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
brodos.net Onlineshop Plugin
Researcher

Peter Thaleikis

More Details >

Caching Compatible Cookie Opt-In and JavaScript <= 0.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24547
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Caching Compatible Cookie Opt-In and JavaScript
Researcher

SOPROBRO

More Details >

Cliptakes <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13389
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Cliptakes
Researcher

SOPROBRO

More Details >

Create with Code <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24638
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Create with Code
Researcher

SOPROBRO

More Details >

Divi Carousel Lite <= 2.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Logo Carousel Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0350
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Divi Carousel Maker
Researcher

Webbernaut

More Details >

Easy YouTube Gallery <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24721
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Easy YouTube Gallery
Researcher

yudha

More Details >

ElementInvader Addons for Elementor <= 1.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24578
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ElementInvader Addons for Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

ElementInvader Addons for Elementor <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24729
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ElementInvader Addons for Elementor
Researcher

Michael

More Details >

Etsy Importer <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12817
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Etsy Importer
Researcher

zakaria

More Details >

Event post <= 5.9.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24585
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Event post
Researcher

Peter Thaleikis

More Details >

FireCask Like & Share Button <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11226
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
FireCask Like & Share Button
Researcher

Peter Thaleikis

More Details >

Flexmls® IDX Plugin <= 3.14.26 – Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10552
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Flexmls® IDX Plugin
Researcher

1337_Wannabe

More Details >

HelloAsso <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24575
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
HelloAsso
Researcher

Kévin Mosbahi (Mika)

More Details >

HT Conctact Form 7 <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24726
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Contact Form 7 Widget For Elementor Page Builder & Gutenberg Blocks
Researcher

Peter Thaleikis

More Details >

Icegram <= 3.1.31 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24542
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA
Researcher

SavPhill (Savphill)

More Details >

Jet Elements <= 2.7.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0371
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
JetElements
Researcher

stealthcopter

More Details >

Ketchup Shortcodes <= 0.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24673
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Ketchup Shortcodes
Researcher

zaim

More Details >

Ketchup Shortcodes <= 0.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13590
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
Ketchup Shortcodes
Researcher

zakaria

More Details >

LearnPress – WordPress LMS Plugin <= 4.2.7.5 – Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13599
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
LearnPress – WordPress LMS Plugin
Researcher

Tim Coen

More Details >

Listamester <= 2.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13659
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Listamester
Researcher

Peter Thaleikis

More Details >

Magic the Gathering Card Tooltips <= 3.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24704
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Magic the Gathering Card Tooltips
Researcher

yudha

More Details >

Masy Gallery <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13586
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Masy Gallery
Researcher

Peter Thaleikis

More Details >

MDTF – Meta Data and Taxonomies Filter <= 1.3.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13340
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
MDTF – Meta Data and Taxonomies Filter
Researcher

theviper17y

More Details >

NOTICE BOARD BY TOWKIR <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12816
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
NOTICE BOARD BY TOWKIR
Researcher

zakaria

More Details >

PageLayer <= 1.9.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24573
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Page Builder: Pagelayer – Drag and Drop website builder
Researcher

LVT-tholv2k

More Details >

PDF Invoices for WooCommerce + Drag and Drop Template Builder <= 4.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24755
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
PDF Invoices for WooCommerce + Drag and Drop Template Builder
Researcher

theviper17y

More Details >

Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13584
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
Picture Gallery – Frontend Image Uploads, AJAX Photo List
Researcher

Peter Thaleikis

More Details >

Plethora Plugins Tabs + Accordions <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24709
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Plethora Plugins Tabs + Accordions
Researcher

Peter Thaleikis

More Details >

Plethora Plugins Tabs + Accordions <= 1.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via anchor

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13721
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Plethora Plugins Tabs + Accordions
Researcher

Nishiv

More Details >

Popup Maker <= 1.20.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24746
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Researcher

SavPhill (Savphill)

More Details >

Power Ups for Elementor <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13548
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Power Ups for Elementor
Researcher

zakaria

More Details >

Precious Metals Charts and Widgets for WordPress <= 1.2.8 – Authenticated (Contributor+) Stored Cross-site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13572
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Precious Metals Charts and Widgets for WordPress
Researcher

Peter Thaleikis

More Details >

Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) <= 3.16.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12043
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider)
Researcher

zer0gh0st

More Details >

Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13354
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Researcher

Ankit Patel

More Details >

Restrict Anonymous Access <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24610
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Restrict Anonymous Access
Researcher

0xd4rk5id3

More Details >

Show/Hide Shortcode <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24687
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Show/Hide Shortcode
Researcher

SOPROBRO

More Details >

Simple Gallery with Filter <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13583
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Simple Gallery with Filter
Researcher

Peter Thaleikis

More Details >

Stackable – Page Builder Gutenberg Blocks <= 3.13.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12117
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
Stackable – Page Builder Gutenberg Blocks
Researcher

zer0gh0st

More Details >

Tamara Checkout <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-23997
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
Tamara Checkout
Researcher

Peter Thaleikis

More Details >

The Events Calendar <= 6.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12118
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
The Events Calendar
Researcher

wesley (wcraft)

More Details >

WC Marketplace <= 4.2.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24706
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
Researcher

Peter Thaleikis

More Details >

Widget Countdown <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24719
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Countdown Timer – Widget Countdown
Researcher

Peter Thaleikis

More Details >

WordPress SEO Friendly Accordion FAQ with AI assisted content generation <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13458
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
WordPress SEO Friendly Accordion FAQ with AI assisted content generation
Researcher

SOPROBRO

More Details >

WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13542
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO
Researcher

zakaria

More Details >

WP Visitor Statistics (Real Time Traffic) <= 7.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24675
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WP Visitor Statistics (Real Time Traffic)
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP VR <= 8.5.14 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24730
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
Researcher

Peter Thaleikis

More Details >

Xagio SEO <= 7.0.0.20 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-24702
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Xagio SEO
Researcher

Peter Thaleikis

More Details >

AI Power: Complete AI Pack <= 1.8.96 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2024-13361
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
AI Power: Complete AI Pack
Researcher

mikemyers

More Details >

Estatebud – Properties & Listings <= 5.5.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23994
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
Estatebud – Properties & Listings
Researcher

SOPROBRO

More Details >

KB Support <= 1.6.7 – Unauthenticated Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24741
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin
Researcher

ardias

More Details >

Link Library <= 7.7.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13404
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
Link Library
Researcher

Colin Xu

More Details >

PPO Call To Actions <= 0.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24001
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
PPO Call To Actions
Researcher

Abdi Pranata

More Details >

Quiz Maker Business, Developer, and Agency <= (Multiple Versions) – Reflected DOM-Based Cross-Site Scripting via content

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10636
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Quiz Maker Business
Quiz Maker Developer
Quiz Maker Agency
Researcher

abrahack

More Details >

ReviewsTap <= 1.1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24561
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ReviewsTap
Researcher

SOPROBRO

More Details >

Roi Calculator <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24756
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Roi Calculator
Researcher

SOPROBRO

More Details >

SEO Blogger to WordPress Migration using 301 Redirection <= 0.4.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13422
Patch Status
Unpatched
Published
Jan 22, 2025

Affected Software
SEO Blogger to WordPress Migration using 301 Redirection
Researcher

Colin Xu

More Details >

Subscription DNA <= 2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-24555
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Subscription DNA®
Researcher

SOPROBRO

More Details >

Target Video Easy Publish <= 3.8.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12076
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Target Video Easy Publish
Researcher

vgo0

More Details >

Themify Builder <= 7.6.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13319
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
Themify Builder
Researcher

Colin Xu

More Details >

WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12334
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
WC Affiliate – A Complete WooCommerce Affiliate Plugin
Researcher

vgo0

More Details >

WP Contact Form7 Email Spam Blocker <= 1.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13467
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
WP Contact Form7 Email Spam Blocker
Researcher

Le Ngoc Anh

More Details >

WP Panoramio <= 1.5.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23662
Patch Status
Unpatched
Published
Jan 22, 2025

Affected Software
WP Panoramio
Researcher

SOPROBRO

More Details >

WP-BibTeX <= 3.0.1 – Cross-Site Request Forgery to Stored and Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12005
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
WP-BibTeX
Researcher

vgo0

More Details >

wp-greet <= 6.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13444
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
wp-greet
Researcher

SOPROBRO

More Details >

XML for Google Merchant Center <= 3.0.11 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13406
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
XML for Google Merchant Center
Researcher

Le Ngoc Anh

More Details >

Chained Quiz <= 1.3.2.9 – Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-24701
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Chained Quiz
Researcher

Marek Mikita

More Details >

Comment Edit Core – Simple Comment Editing <= 3.0.33 – Authenticated (Admin+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-24703
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Comment Edit Core – Simple Comment Editing
Researcher

Marek Mikita

More Details >

Survey Maker <= 5.1.3.3 – Authenticated (Admin+) Stored Cross-Site Scripting via Survey Question

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13505
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Survey Maker
Researcher

Joel Indra

More Details >

Activity Plus Reloaded for BuddyPress <= 1.1.1 – Authenticated (Subscriber+) Blind Server-Side Request Forgery

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-11913
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Activity Plus Reloaded for BuddyPress
Researcher

Francesco Carlucci

More Details >

AI Power: Complete AI Pack <= 1.8.96 – Authenticated (Subscriber+) Server-Side Request Forgery

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13360
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
AI Power: Complete AI Pack
Researcher

shaman0x01

More Details >

LearnPress <= 4.2.7.1 – Authenticated (Subscriber+) Open Redirect

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-24740
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
LearnPress – WordPress LMS Plugin
Researcher

ardias

More Details >

Multiple Page Generator Plugin – MPG <= 4.0.5 – Authenticated (Editor+) Server-Side Request Forgery via fileUrl

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-10705
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Multiple Page Generator Plugin – MPG
Researcher

Arkadiusz Hydzik

More Details >

WP-Polls <= 2.77.2 – Unauthenticated SQL Injection to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2024-13426
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
WP-Polls
Researcher

Jack Taylor

More Details >

1003 Mortgage Application <= 1.87 – Unauthenticated Full Path Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13536
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
1003 Mortgage Application
Researcher

stealthcopter

More Details >

12 Step Meeting List <= 3.16.5 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24582
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
12 Step Meeting List
Researcher

Kévin Mosbahi (Mika)

More Details >

Avada <= 7.11.10 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24748
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Avada | Website Builder For WordPress & WooCommerce
Researcher

Ananda Dhakal

More Details >

Boom Fest <= 2.2.1 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13449
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Boom Fest
Researcher

SOPROBRO

More Details >

Build Private Store For Woocommerce <= 1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24633
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Build Private Store For Woocommerce
Researcher

Kévin Mosbahi (Mika)

More Details >

LearnDash LMS <= 4.20.0.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24662
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
LearnDash LMS
Researcher

David Ojeda Guijarro

More Details >

Membership Plugin – Restrict Content <= 3.2.13 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-11090
Patch Status
Patched
Published
Jan 25, 2025

Affected Software
Membership Plugin – Restrict Content
Researcher

Francesco Carlucci

More Details >

Patreon WordPress <= 1.9.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24588
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Patreon WordPress
Researcher

Kévin Mosbahi (Mika)

More Details >

Paytium <= 4.4.11 – Unauthenticated Full Path Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24552
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Paytium: Mollie payment forms & donations
Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

RSVPMarker <= 11.4.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24600
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
RSVPMaker
Researcher

Kévin Mosbahi (Mika)

More Details >

Social Share, Social Login and Social Comments Plugin – Super Socializer <= 7.14 – Unauthenticated Limited SQL Injection via ‘SuperSocializerKey’

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13230
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
Social Share, Social Login and Social Comments Plugin – Super Socializer
Researcher

mikemyers

More Details >

uDesign <= 4.11.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24757
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
uDesign | Multipurpose WordPress Theme
Researcher

Ananda Dhakal

More Details >

Visual Website Collaboration, Feedback & Project Management – Atarim <= 4.0.9 – Missing Authorization to Authenticated (Subscriber+) Project Page/File Deletion

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-12104
Patch Status
Patched
Published
Jan 20, 2025

Affected Software
Visual Website Collaboration, Feedback & Project Management – Atarim
Researchers

Tieu Pham Trong Nhan
BrokenAC ignore

More Details >

WooCommerce Product Table Lite <= 3.8.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24596
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WooCommerce Product Table Lite
Researcher

Kévin Mosbahi (Mika)

More Details >

WooCommerce Quick View <= 1.1.1 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24705
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WooCommerce Quick View
Researcher

Kévin Mosbahi (Mika)

More Details >

Email Subscription Popup <= 1.2.23 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-24587
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Email Subscription Popup
Researcher

Webula

More Details >

Premium Packages <= 5.9.6 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-24659
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Premium Packages – Sell Digital Products Securely
Researcher

Webula

More Details >

RSVP and Event Management Plugin <= 2.7.14 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-24683
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
RSVP and Event Management
Researcher

AHMAD SOPYAN

More Details >

Simple Download Monitor <= 3.9.25 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-24663
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Simple Download Monitor
Researcher

shinobu

More Details >

WP Ultimate Exporter <= 2.9 – Authenticated (Admin+) Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-24611
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Export All Posts, Products, Orders, Refunds & Users
Researcher

I8BL

More Details >

AI Chatbot for WordPress – Hyve Lite <= 1.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24666
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
AI Chatbot for WordPress – Hyve Lite
Researcher

Caesar Evan Santoso

More Details >

Auction Nudge – Your eBay on Your Site <= 7.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24658
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Auction Nudge – Your eBay on Your Site
Researcher

b4orvn

More Details >

Booking Calendar Contact Form <= 1.2.55 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24723
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Booking Calendar Contact Form
Researcher

Nguyen Khanh Hao

More Details >

Contact Form Email <= 1.3.52 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24727
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Contact Form Email
Researcher

Roby Firnando Yusuf

More Details >

Download IP2Location Country Blocker <= 2.38.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24731
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
IP2Location Country Blocker
Researcher

Malvin Valerian Gultom

More Details >

FAQ Builder AYS <= 1.7.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24722
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
FAQ Builder AYS
Researcher

Logan Cote

More Details >

Nested Pages <= 3.2.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24579
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Nested Pages
Researcher

UKO

More Details >

Orbisius Simple Notice <= 1.1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24634
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Orbisius Simple Notice
Researcher

Pham Van Tam

More Details >

PPOM for WooCommerce <= 33.0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24668
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
PPOM – Product Addons & Custom Fields for WooCommerce
Researcher

SavPhill (Savphill)

More Details >

Product Carousel Slider & Grid Ultimate for WooCommerce <= 1.10.0 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24681
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Product Carousel Slider & Grid Ultimate for WooCommerce
Researcher

Damanpreet Singh

More Details >

Sensly Online Presence <= 0.6 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2024-13493
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Sensly Online Presence
Researcher

Vo Hoang Phuc

More Details >

ShMapper by Teplitsa <= 1.5.0 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24674
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ShMapper by Teplitsa
Researcher

Khang Duong

More Details >

Wishlist for WooCommerce <= 2.1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24657
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Wishlist for WooCommerce
Researcher

b4orvn

More Details >

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.7.1 – Authenticated (Shop Manager+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-24644
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels
Researcher

SavPhill (Savphill)

More Details >

12 Step Meeting List <= 3.16.5 – Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24580
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
12 Step Meeting List
Researcher

Kévin Mosbahi (Mika)

More Details >

Admin and Site Enhancements (ASE) Pro <= 7.6.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24653
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Admin and Site Enhancements (ASE) Pro
Researcher

Rafie Muhammad

More Details >

Advanced Notifications <= 1.2.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24693
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Advanced Notifications
Researcher

Kévin Mosbahi (Mika)

More Details >

AnyRoad <= 1.3.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-23996
Patch Status
Unpatched
Published
Jan 20, 2025

Affected Software
AnyRoad
Researcher

Pham Van Tam

More Details >

Attire Blocks <= 1.9.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24696
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Gutenberg Blocks and Page Layouts – Attire Blocks
Researcher

Abdi Pranata

More Details >

Automate Hub Free by Sperse.IO <= 1.7.0 – Cross-Site Request Forgery to Activation Status Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13683
Patch Status
Unpatched
Published
Jan 23, 2025

Affected Software
Automate Hub Free by Sperse.IO
Researcher

Dhabaleshwar Das

More Details >

Bridge Core <= 3.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24744
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Bridge Core
Researcher

Ananda Dhakal

More Details >

Bubble Menu – circle floating menu <= 4.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24714
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Bubble Menu – Sticky Navigation with Floating Button Menu Solution
Researcher

Khang Duong

More Details >

Button Generator – easily Button Builder <= 3.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24713
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Button Generator – easily Button Builder
Researcher

Khang Duong

More Details >

Call Now Button <= 1.4.13 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24738
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Call Now Button – The #1 Click to Call Button for WordPress
Researcher

Rafie Muhammad

More Details >

CoBlocks <= 3.1.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24751
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Page Builder Gutenberg Blocks – CoBlocks
Researcher

Rafie Muhammad

More Details >

Counter Box <= 2.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24715
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site
Researcher

Khang Duong

More Details >

ElementInvader Addons for Elementor <= 1.3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24618
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ElementInvader Addons for Elementor
Researcher

Nirmal Kavaiya

More Details >

Essential Real Estate <= 5.1.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24698
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Essential Real Estate
Researcher

Dhabaleshwar Das

More Details >

ExactMetrics <= 8.1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24750
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
Researcher

Rafie Muhammad

More Details >

FluentSMTP <= 2.2.80 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24739
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider
Researcher

Rafie Muhammad

More Details >

GDPR CCPA Compliance Support <= 2.7.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24591
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
GDPR CCPA Compliance & Cookie Consent Banner
Researcher

Aiden (Thái An)

More Details >

GoHero Store Customizer for WooCommerce <= 3.5 – Missing Authorization to Unuthenticated Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12826
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
GoHero Store Customizer for WooCommerce
Researcher

incognito

More Details >

Gutenberg Blocks by Kadence Blocks <= 3.3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24753
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Gutenberg Blocks with AI by Kadence WP – Page Builder Features
Researcher

Rafie Muhammad

More Details >

Herd Effects <= 6.2.1 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24716
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Social Proof Popups & Real-Time Notifications – Herd Effects
Researcher

Khang Duong

More Details >

Houzez <= 3.4.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24754
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Houzez
Researcher

Ananda Dhakal

More Details >

Internal Links Manager <= 2.5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24679
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Internal Links Manager
Researcher

Caesar Evan Santoso

More Details >

JSM Show Post Metadata <= 4.6.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24589
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
JSM Show Post Metadata
Researcher

Aiden (Thái An)

More Details >

Linear <= 2.8.1 – Cross-Site Request Forgery to Cache Reset

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13709
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Linear
Researcher

Dhabaleshwar Das

More Details >

People Lists <= 1.3.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24691
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
People Lists
Researcher

Kévin Mosbahi (Mika)

More Details >

Popup Box <= 3.2.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24711
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Popup Box: Create Popups Easily
Researcher

Khang Duong

More Details >

Post Duplicator <= 2.35 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24736
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Post Duplicator
Researcher

Kévin Mosbahi (Mika)

More Details >

Print Barcode Labels for your WooCommerce products/orders <= 3.4.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24603
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Product Size Charts Plugin for WooCommerce <= 2.4.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-23991
Patch Status
Unpatched
Published
Jan 24, 2025

Affected Software
Product Size Charts Plugin for WooCommerce
Researcher

Ananda Dhakal

More Details >

Radius Blocks <= 2.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24712
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Radius Blocks – WordPress Gutenberg Blocks
Researcher

Tran Nguyen Bao Khanh

More Details >

Really Simple SSL <= 9.1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24623
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)
Researcher

Ananda Dhakal

More Details >

RomethemeKit For Elementor <= 1.5.2 – Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-10324
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
RomethemeKit For Elementor
Researcher

Ankit Patel

More Details >

RomethemeKit For Elementor <= 1.5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24743
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
RomethemeKit For Elementor
Researcher

João Pedro Soares de Alcântara

More Details >

Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 – Missing Authorization to Spexo Theme Install

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13335
Patch Status
Patched
Published
Jan 23, 2025

Affected Software
Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates
Researcher

Tieu Pham Trong Nhan

More Details >

Side Menu Lite <= 5.3.1 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24724
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Side Menu Lite – add sticky fixed buttons
Researcher

Khang Duong

More Details >

Starter Templates <= 4.4.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24568
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Starter Templates — Elementor, WordPress & Beaver Builder Templates
Researcher

Rafie Muhammad

More Details >

Sticky Buttons <= 4.1.1 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24720
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Sticky Buttons – floating buttons builder
Researcher

Khang Duong

More Details >

Super Block Slider <= 2.7.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24682
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Super block slider – Responsive image & content slider
Researcher

Nirmal Kavaiya

More Details >

Taxonomy/Term and Role based Discounts for WooCommerce <= 5.1 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24625
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Taxonomy/Term and Role based Discounts for WooCommerce
Researcher

Kévin Mosbahi (Mika)

More Details >

Thim Elementor Kit <= 1.2.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24725
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Thim Elementor Kit
Researcher

Prissy

More Details >

Ultimate Coming Soon & Maintenance <= 1.0.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24546
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Ultimate Coming Soon & Maintenance
Researcher

Marek Mikita

More Details >

Variation Swatches for WooCommerce 1.0.8 – 1.3.2 – Cross-Site Request Forgery to Plugin Settings Reset

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13511
Patch Status
Patched
Published
Jan 22, 2025

Affected Software
Variation Swatches for WooCommerce
Researcher

lucky_buddy

More Details >

VForm <= 3.0.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24604
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm
Researcher

Kévin Mosbahi (Mika)

More Details >

WooCommerce Cloak Affiliate Links <= 1.0.35 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24647
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WooCommerce Cloak Affiliate Links
Researcher

Kévin Mosbahi (Mika)

More Details >

WP Duplicate – WordPress Migration Plugin <= 1.1.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24652
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WP Duplicate – WordPress Migration Plugin
Researcher

Kévin Mosbahi (Mika)

More Details >

WP Go Maps <= 9.0.40 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24742
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
WP Go Maps (formerly WP Google Maps)
Researcher

Joshua Chan

More Details >

WP Hotel Booking <= 2.1.6 – Missing Authorization to Authenticated (Subscriber+) User Email Retrieval

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13447
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
WP Hotel Booking
Researcher

Krzysztof Zając

More Details >

WPBot Pro WordPress Chatbot <= 13.5.5 – Missing Authorization to Authenticated (Subscriber+) Simple Text Response Creation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12879
Patch Status
Patched
Published
Jan 21, 2025

Affected Software
WPBot Pro WordPress Chatbot
Researcher

BrokenAC ignore

More Details >

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress <= 1.3.1 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13368
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Researcher

Stiofan

More Details >

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress By KaineLabs <= 1.3.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Review Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12113
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
Researcher

Brian Mungai

More Details >

Contact Form by Bit Form <= 2.17.4 – Authenticated (Administrator+) Server-Side Request Forgery

3.8

CVSS Rating
Low (3.8)
CVE-ID
CVE-2024-13450
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder
Researcher

Francesco Carlucci

More Details >

Extensions For CF7 <= 3.2.0 – Authenticated (Admin+) Sever-Side Request Forgery

3.8

CVSS Rating
Low (3.8)
CVE-ID
CVE-2025-24695
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)
Researcher

Marek Mikita

More Details >

Admin and Site Enhancements (ASE) <= 7.6.2 – Missing Authorization

3.1

CVSS Rating
Low (3.1)
CVE-ID
CVE-2025-24649
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
Admin and Site Enhancements (ASE)
Researcher

Rafie Muhammad

More Details >

FV Thoughtful Comments <= 0.3.5 – Missing Authorization

3.1

CVSS Rating
Low (3.1)
CVE-ID
CVE-2025-24613
Patch Status
Patched
Published
Jan 24, 2025

Affected Software
FV Thoughtful Comments
Researcher

Kévin Mosbahi (Mika)

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (January 20, 2025 to January 26, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.