Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-08
CVE-2024-10562 - Before 1 Plugin
The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10562
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-11972 - Before 1 Plugin
The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.
PLUGIN
Before 1
CVE-2024-11972
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-11842 - Before 1 Plugin
The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 1
CVE-2024-11842
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-11223 - Before 1 Plugin
The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-11223
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11108 - Before 1 Plugin
The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-11108
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10704 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-10704
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-7056 - Before 1 Plugin
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-7056
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-5029 - Before 1 Plugin
The CM Table Of Contents WordPress plugin before 1.2.4 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Before 1
CVE-2024-5029
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10482 - Before 1 Plugin
The Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO WordPress plugin before 1.5.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Before 1
CVE-2024-10482
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-5030 - Before 1 Plugin
The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Before 1
CVE-2024-5030
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-7877 - Before 1 Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2024-7877
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-7876 - Before 1 Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2024-7876
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-5968 - Before 1 Plugin
The Photo Gallery by 10Web WordPress plugin before 1.8.28 does not properly sanitise and escape some of its Gallery settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-5968
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8283 - Before 1 Plugin
The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-8283
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2024-7129 - Before 1 Plugin
The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
PLUGIN
Before 1
CVE-2024-7129
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6617 - Before 1 Plugin
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-6617
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6493 - Before 1 Plugin
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-6493
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6887 - Before 1 Plugin
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-6887
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5799 - Before 1 Plugin
The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-5799
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-3899 - Before 1 Plugin
The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-3899
Risk Score