Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2025-04-24 CVE-2021-47664 Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.
network
low complexity
CWE-203
5.3
5.3
2025-04-24 CVE-2024-13307 The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2.
network
low complexity
CWE-862
5.3
5.3
2025-04-24 CVE-2025-1284 The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key.
network
low complexity
CWE-639
4.3
4.3
2025-04-24 CVE-2025-2543 The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-24 CVE-2025-2579 The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-24 CVE-2025-3058 The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0.
network
low complexity
CWE-862
8.8
8.8
2025-04-24 CVE-2025-3065 The Database Toolset plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 1.8.4.
network
low complexity
CWE-22
critical
 9.1
9.1
2025-04-24 CVE-2025-3101 The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7.
network
low complexity
CWE-269
8.8
8.8
2025-04-24 CVE-2025-3280 The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
CWE-89
6.5
6.5
2025-04-24 CVE-2025-3300 The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2.
network
low complexity
CWE-22
7.2
7.2