Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-09
CVE-2024-11189 - Before 1 Plugin
The Social Share And Social Locker WordPress plugin before 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-11189
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-10818 - Before 1 Plugin
The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-10818
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-10504 - Before 1 Plugin
The Contact Form, Survey, Quiz & Popup Form Builder WordPress plugin before 1.7.1 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-10504
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-10475 - Before 1 Plugin
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10475
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-0852 - Before 1 Plugin
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin
PLUGIN
Before 1
CVE-2024-0852
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-10145 - Before 1 Plugin
The Hubbub Lite WordPress plugin before 1.34.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10145
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-10107 - Before 1 Plugin
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10107
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-10054 - Before 1 Plugin
The Happyforms WordPress plugin before 1.26.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10054
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2023-7239 - Before 1 Plugin
The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. This allows users with a role of contributor and above to update notes created by other users.
PLUGIN
Before 1
CVE-2023-7239
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6541 - Before 1 Plugin
The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Before 1
CVE-2023-6541
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-5934 - Before 1 Plugin
The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack
PLUGIN
Before 1
CVE-2023-5934
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6030 - Before 1 Plugin
The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request leading to a SQL injection vulnerability which can be exploited using time-based technique by unauthenticated attacker
PLUGIN
Before 1
CVE-2023-6030
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-5932 - Before 1 Plugin
The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-5932
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-2334 - Before 1 Plugin
The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
PLUGIN
Before 1
CVE-2023-2334
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3514 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2025-3514
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3513 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2025-3513
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2025-3471 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
PLUGIN
Before 1
CVE-2025-3471
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2024-10680 - Before 1 Plugin
The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10680
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2048 - Before 1 Plugin
The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server
PLUGIN
Before 1
CVE-2025-2048
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-0613 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed
PLUGIN
Before 1
CVE-2025-0613
Risk Score