Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-28
CVE-2024-8703 - Before 1 Plugin
The Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs.
PLUGIN
Before 1
CVE-2024-8703
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8851 - Before 1 Plugin
The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).
PLUGIN
Before 1
CVE-2024-8851
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8670 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.8.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-8670
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-8618 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-8618
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-8426 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2024-8426
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8245 - Before 1 Plugin
The GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 1
CVE-2024-8245
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8031 - Before 1 Plugin
The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php.
PLUGIN
Before 1
CVE-2024-8031
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6809 - Before 1 Plugin
The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
PLUGIN
Before 1
CVE-2024-6809
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2024-6719 - Before 1 Plugin
The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack
PLUGIN
Before 1
CVE-2024-6719
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-7759 - Before 1 Plugin
The PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-7759
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-6486 - Before 1 Plugin
The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution.
PLUGIN
Before 1
CVE-2024-6486
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-6159 - Before 1 Plugin
The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Before 1
CVE-2024-6159
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-5440 - Before 1 Plugin
The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-5440
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-1663 - Before 1 Plugin
The Ultimate Noindex Nofollow Tool II WordPress plugin before 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-1663
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-13616 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-13616
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-13053 - Before 1 Plugin
The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-13053
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2024-12812 - Before 1 Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.
PLUGIN
Before 1
CVE-2024-12812
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-12808 - Before 1 Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-12808
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-12680 - Before 1 Plugin
The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-12680
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-12679 - Before 1 Plugin
The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-12679
Risk Score