Skip to main content
CVE-2025-1323 HIGH POC PATCH THREAT Act Now

The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 53.2%.

WordPress SQLi Wp Recall PHP
NVD
CVSS 3.1
7.5
EPSS
53.2%
Threat
4.6
CVE-2025-27840 MEDIUM POC This Month

Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory). Rated medium severity (CVSS 6.8). Public exploit code available and no vendor patch available.

Information Disclosure Esp32 Firmware
NVD GitHub
CVSS 3.1
6.8
EPSS
0.3%
CVE-2024-13825 MEDIUM POC This Month

The Email Keep WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Email Keep
NVD WPScan
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-0177 CRITICAL Act Now

The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation Javo Core PHP
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-13826 MEDIUM POC This Month

The Email Keep WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Email Keep
NVD WPScan
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-2112 MEDIUM POC This Month

A vulnerability was found in user-xiangpeng yaoqishan up to a47fec4a31cbd13698c592dfdc938c8824dd25e4. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Yaoqishan
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2024-13882 HIGH This Week

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE File Upload Aiomatic
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2024-11640 HIGH PATCH This Week

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress RCE CSRF Vikrentcar
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-13359 HIGH PATCH This Week

The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the add_product_input_fields_to_order_item_meta(). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress PHP RCE File Upload Product Input Fields For Woocommerce
NVD
CVSS 3.1
8.1
EPSS
2.7%
CVE-2024-11087 HIGH This Week

The miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) Pro Addon plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 200.3.9. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Google WordPress Authentication Bypass Social Login
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-13908 HIGH PATCH This Week

The SMTP by BestWebSoft plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 1.1.9. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress RCE File Upload Smtp
NVD
CVSS 3.1
7.2
EPSS
0.8%
CVE-2024-13890 HIGH This Week

The Allow PHP Execute plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress PHP Code Injection Allow Php Execute
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2024-13835 HIGH This Week

The Post Meta Data Manager plugin for WordPress is vulnerable to multisite privilege escalation in all versions up to, and including, 1.4.3. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-1481 MEDIUM This Month

The Shortcode Cleaner Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_backup() function in all versions up to, and including,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Shortcode Cleaner Lite PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1287 MEDIUM PATCH This Month

The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS The Plus Addons For Elementor PHP Elementor
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-12460 MEDIUM This Month

The Years Since - Timeless Texts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'years-since' shortcode in all versions up to, and including, 1.4.1 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-13649 MEDIUM PATCH This Month

The 140+ Widgets | Xpro Addons For Elementor - FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.4.6.7 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Xpro Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1783 MEDIUM PATCH This Month

The Gallery Styles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery Block in all versions up to, and including, 1.3.4 due to insufficient input sanitization and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Gallery Styles PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-12119 MEDIUM This Month

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the default_gallery_title_size parameter. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Foogallery
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1664 MEDIUM PATCH This Month

The Essential Blocks - Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Parallax slider in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Essential Blocks PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1261 MEDIUM PATCH This Month

The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.2. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Ht Mega PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-13675 MEDIUM PATCH This Month

The SlingBlocks - Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Icon List" Block in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Slingblocks
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-1324 MEDIUM PATCH This Month

The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wp Recall PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-1325 MEDIUM PATCH This Month

The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Wp Recall PHP
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-13774 MEDIUM This Month

The Wishlist for WooCommerce: Multi Wishlists Per Customer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.7. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2024-13640 MEDIUM This Month

The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.4.1 via the 'wcdn/invoice' directory. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2024-13816 MEDIUM This Month

The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Aiomatic
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-13924 MEDIUM This Month

The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SSRF Starter Templates
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2023-52970 MEDIUM PATCH This Month

MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11.0 through 11.0.*, and 11.1 through 11.4.* crashes in Item_direct_view_ref::derived_field_transformer_for_where. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2023-52969 MEDIUM PATCH This Month

MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, and 11.0 through 11.0.* can sometimes crash with an empty backtrace log. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2024-13844 MEDIUM PATCH This Month

The Post SMTP plugin for WordPress is vulnerable to generic SQL Injection via the ‘columns’ parameter in all versions up to, and including, 3.1.2 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Post Smtp
NVD GitHub
CVSS 3.1
4.9
EPSS
0.2%
CVE-2023-52968 MEDIUM PATCH This Month

MariaDB Server 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 calls fix_fields_if_needed under. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2023-52971 MEDIUM PATCH This Month

MariaDB Server 10.10 through 10.11.* and 11.0 through 11.4.* crashes in JOIN::fix_all_splittings_in_plan. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Red Hat Suse
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2024-13895 MEDIUM This Month

The The Code Snippets CPT plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.1.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE WordPress Code Injection Code Snippets Cpt
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2024-10321 MEDIUM This Month

The All-in-One Addons for Elementor - WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.4 in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP Elementor
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-12114 MEDIUM PATCH This Month

The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

WordPress Authentication Bypass Foogallery
NVD GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-1504 MEDIUM This Month

The Post Lockdown plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.0.2 via the 'pl_autocomplete' AJAX action due to insufficient restrictions on. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-1322 MEDIUM PATCH This Month

The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

WordPress Information Disclosure Wp Recall PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-10326 MEDIUM PATCH This Month

The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Romethemekit For Elementor Elementor
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-27839 LOW Monitor

operations/attestation/AttestationTask.kt in the Tangem SDK before 5.18.3 for Android has a logic flow in offline wallet attestation (genuineness check) that causes verification results to be. Rated low severity (CVSS 3.2), this vulnerability is no authentication required. No vendor patch available.

Google Information Disclosure Android
NVD GitHub
CVSS 3.1
3.2
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy