Skip to main content
CVE-2024-12824 CRITICAL POC THREAT Emergency

The Nokri Job Board WordPress theme through version 1.6.2 contains a privilege escalation via account takeover. The password reset handler fails to check for empty token values, allowing unauthenticated attackers to reset any user's password including administrators by submitting an empty verification token.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
58.7%
Threat
5.2
CVE-2025-27554 CRITICAL Act Now

ToDesktop before 2024-10-03, as used by Cursor before 2024-10-03 and other applications, allows remote attackers to execute arbitrary commands on the build server (e.g., read secrets from the. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2025-1638 CRITICAL Act Now

The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-1671 CRITICAL Act Now

The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-1564 CRITICAL Act Now

The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-23116 CRITICAL Act Now

An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take. Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.0
9.6
EPSS
0.1%
CVE-2025-1800 MEDIUM POC This Month

A vulnerability has been found in D-Link DAR-7000 3.2 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

D-Link Command Injection PHP Dar 7000 Firmware
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.5%
CVE-2025-23115 CRITICAL Act Now

A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Ubiquiti RCE Denial Of Service
NVD
CVSS 3.0
9.0
EPSS
0.6%
CVE-2024-12544 HIGH This Week

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass CSRF RCE WordPress
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2025-1786 MEDIUM POC This Month

A vulnerability was found in rizinorg rizin up to 0.7.4. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Rizin Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-1788 MEDIUM POC This Month

A vulnerability, which was classified as critical, was found in rizinorg rizin up to 0.8.0. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Rizin Suse
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2024-13373 HIGH This Week

The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-13910 HIGH This Week

The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE Path Traversal
NVD
CVSS 3.1
7.2
EPSS
4.0%
CVE-2024-13611 HIGH This Week

The Better Messages - Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure Better Messages
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-13568 HIGH This Week

The Fluent Support - Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-23119 HIGH This Week

An Improper Neutralization of Escape Sequences vulnerability could allow an Authentication Bypass with a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras adjacent. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Command Injection RCE Ubiquiti
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-13833 HIGH This Week

The Album Gallery - WordPress Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.3 via deserialization of untrusted input from gallery meta. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2024-13911 HIGH This Week

The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35 via the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-1804 HIGH This Week

A vulnerability was found in Blizzard Battle.Net up to 2.39.0.15212 on Windows and classified as critical. Rated high severity (CVSS 7.3). No vendor patch available.

Microsoft Information Disclosure Windows
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-23117 MEDIUM This Month

An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-13806 MEDIUM This Month

The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE WordPress Code Injection
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2024-13746 MEDIUM This Month

The Booking Calendar and Notification plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on the wpcb_all_bookings(),. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2025-1730 MEDIUM This Month

The Simple Download Counter plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.0 via the 'simple_download_counter_download_handler'. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-13750 MEDIUM This Month

The Multilevel Referral Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.27 due to insufficient. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1491 MEDIUM This Month

The WP Posts Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play_timeout’ parameter in all versions up to, and including, 1.3.7 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1291 MEDIUM This Month

The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icon’ parameter in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-0820 MEDIUM This Month

The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nom’ parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-13559 MEDIUM This Month

The TemplatesNext ToolKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tx_woo_wishlist_table' shortcode in all versions up to, and including, 3.2.9 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1459 MEDIUM PATCH This Month

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(PB) widget in all versions up to, and including, 2.31.4 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Page Builder PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-23118 MEDIUM This Month

An Improper Certificate Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. Rated medium severity (CVSS 6.4). No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.0
6.4
EPSS
0.0%
CVE-2024-9217 MEDIUM This Month

The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-9212 MEDIUM This Month

The SKU Generator for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2025-27416 MEDIUM This Month

Scratch-Coding-Hut.github.io is the website for Coding Hut. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 4.0
5.9
EPSS
0.1%
CVE-2025-1404 MEDIUM This Month

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_sccp_reports_user_search(). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-1502 MEDIUM This Month

The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-1791 MEDIUM This Month

A vulnerability has been found in Zorlan SkyCaiji 2.9 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Authentication Bypass File Upload Skycaiji
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-1799 MEDIUM This Month

A vulnerability, which was classified as critical, was found in Zorlan SkyCaiji 2.9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF PHP Skycaiji
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-1797 MEDIUM This Month

A vulnerability, which was classified as critical, has been found in Hunan Zhonghe Baiyi Information Technology Baiyiyun Asset Management and Operations System up to 20250217. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-41778 MEDIUM This Month

IBM Controller 11.0.0 through 11.0.1 and 11.1.0 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Brute Force IBM Information Disclosure Controller
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2024-13697 MEDIUM This Month

The Better Messages - Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including,. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress SSRF Better Messages
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-13901 MEDIUM PATCH This Month

The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘content’ parameter in all. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Counter Box
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2024-13546 MEDIUM This Month

The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.1 via the 'get_image_description' function. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2025-1780 MEDIUM PATCH This Month

The BuddyPress WooCommerce My Account Integration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Buddypress Woocommerce My Account Integration PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-13358 MEDIUM PATCH This Month

The BuddyPress WooCommerce My Account Integration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Buddypress Woocommerce My Account Integration
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-13518 MEDIUM This Month

The Simple:Press Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.10.11. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-1803 Awaiting Data

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy