Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-01-22 | CVE-2025-0428 | Deserialization of Untrusted Data vulnerability in Aipower The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_prompts function. | 7.2 |
| 2025-01-22 | CVE-2025-0429 | Deserialization of Untrusted Data vulnerability in Aipower The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_content'] variable through the wpaicg_export_ai_forms() function. | 7.2 |
| 2025-01-22 | CVE-2024-12117 | Cross-site Scripting vulnerability in Gambit Stackable The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter of the Button block in all versions up to, and including, 3.13.11 due to insufficient input sanitization and output escaping. | 5.4 |
| 2025-01-22 | CVE-2024-12857 | Missing Authentication for Critical Function vulnerability in Scriptsbundle Adforest The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. | 9.8 |
| 2025-01-22 | CVE-2024-13406 | Cross-site Scripting vulnerability in Icopydoc XML for Google Merchant Center The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient input sanitization and output escaping. | 6.1 |
| 2025-01-22 | CVE-2024-12879 | Missing Authorization vulnerability in Quantumcloud Wpot The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all versions up to, and including, 13.5.5. | 4.3 |
| 2025-01-22 | CVE-2024-13584 | Cross-site Scripting vulnerability in Videowhisper Picture Gallery The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-22 | CVE-2024-13590 | Cross-site Scripting vulnerability in Ayecode Ketchup Shortcodes The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-01-22 | CVE-2024-13426 | SQL Injection vulnerability in Wp-Polls Project Wp-Polls The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 5.3 |
| 2025-01-22 | CVE-2024-13091 | Unrestricted Upload of File with Dangerous Type vulnerability in Wpbot Wpot The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. | 9.8 |