| CVE-2024-12860 | CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover | scriptsbundle | CarSpot – Dealership Wordpress Classified Theme | Critical | 9.8 | 2025-02-18 08:21:43 | Deep Dive |
| CVE-2024-13465 | aBlocks – WordPress Gutenberg Blocks <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 6.4 | 2025-02-18 07:28:14 | Deep Dive |
| CVE-2024-13556 | Affiliate Links: WordPress Plugin for Link Cloaking and Link Management <= 3.0.1 - Missing Authorization to Unauthenticated Import/Export and PHP Object Injection | wecantrack | Affiliate Links – Link Cloaking and Management | High | 8.1 | 2025-02-18 05:22:27 | Deep Dive |
| CVE-2024-13609 | 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Unauthenticated Sensitive Information Exposure via Database Backup in class-ocm-backup.php | 1clickmigration | 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone | Medium | 5.9 | 2025-02-18 04:21:21 | Deep Dive |
| CVE-2024-13677 | GetBookingsWp - Appointments & Bookings Plugin Basic Version <= 1.1.27 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover | istmoplugins | GetBookingsWP – Appointments Booking Calendar Plugin For WordPress | High | 8.8 | 2025-02-18 04:21:20 | Deep Dive |
| CVE-2024-13555 | 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Cross-Site Request Forgery to Backup Process Cancellation | 1clickmigration | 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone | Medium | 5.3 | 2025-02-18 04:21:19 | Deep Dive |
| CVE-2025-22676 | WordPress Upcasted S3 Offload plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability | upcasted | AWS S3 for WordPress Plugin – Upcasted | Medium | 6.5 | 2025-02-16 22:17:17 | Deep Dive |
| CVE-2024-13306 | WP Google Map < 1.9.4 - Admin+ Stored XSS | Unknown | Maps Plugin using Google Maps for WordPress | 中危 | - | 2025-02-15 06:00:11 | Deep Dive |
| CVE-2024-13208 | WP Google Map < 1.9.4 - Admin+ Stored XSS | Unknown | Maps Plugin using Google Maps for WordPress | 中危 | - | 2025-02-15 06:00:09 | Deep Dive |
| CVE-2025-23657 | WordPress WordPress-to-candidate for Salesforce CRM plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability | RusAlex | WordPress-to-candidate for Salesforce CRM | High | 7.1 | 2025-02-14 12:44:31 | Deep Dive |
| CVE-2025-23492 | WordPress 淘宝客插件 plugin <= 1.1.2 - Reflected Cross Site Scripting (XSS) vulnerability | CantonBolo | WordPress 淘宝客插件 | High | 7.1 | 2025-02-14 12:44:29 | Deep Dive |
| CVE-2025-23428 | WordPress QMean plugin <= 2.0 - Reflected Cross Site Scripting (XSS) vulnerability | Arash Safari | QMean – WordPress Did You Mean | High | 7.1 | 2025-02-14 12:44:28 | Deep Dive |
| CVE-2024-13735 | HurryTimer <= 2.11.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Name | nlemsieh | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | Medium | 6.4 | 2025-02-14 09:21:32 | Deep Dive |
| CVE-2024-13867 | Listivo - Classified Ads WordPress Theme <= 2.3.67 - Reflected Cross-Site Scripting | TangibleWP | Listivo - Classified Ads WordPress Theme | Medium | 6.1 | 2025-02-13 09:21:47 | Deep Dive |
| CVE-2024-13346 | Avada Theme <= 7.11.13 - Unauthenticated Arbitrary Shortcode Execution | ThemeFusion | Avada | Website Builder For WordPress & WooCommerce | High | 7.3 | 2025-02-13 06:58:05 | Deep Dive |
| CVE-2024-13770 | Puzzles | WP Magazine / Review with Store WordPress Theme + RTL <= 4.2.4 - Unauthenticated PHP Object Injection | ThemeREX | Puzzles | WP Magazine / Review with Store WordPress Theme + RTL | High | 8.1 | 2025-02-13 04:21:47 | Deep Dive |
| CVE-2025-0837 | Puzzles <= 4.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | ThemeREX | Puzzles | WP Magazine / Review with Store WordPress Theme + RTL | Medium | 6.4 | 2025-02-13 04:21:46 | Deep Dive |
| CVE-2024-13814 | Global Gallery - WordPress Responsive Gallery <= 9.1.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution | LCweb | Global Gallery - WordPress Responsive Gallery | Medium | 5.4 | 2025-02-12 08:25:43 | Deep Dive |
| CVE-2024-13656 | Click Mag - Viral WordPress News Magazine/Blog Theme <= 3.6.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Deletion | MVPThemes | Click Mag - Viral WordPress News Magazine/Blog Theme | High | 8.1 | 2025-02-12 04:22:17 | Deep Dive |
| CVE-2024-13654 | ZoxPress - The All-In-One WordPress News Theme <= 2.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Deletion | MVPThemes | ZoxPress - The All-In-One WordPress News Theme | High | 8.1 | 2025-02-12 04:22:17 | Deep Dive |