Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-13
CVE-2024-3236 - Before 1 Plugin
The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-3236
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-3552 - Before 1 Plugin
The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.
PLUGIN
Before 1
CVE-2024-3552
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-2749 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categories for example) despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 configurations.
PLUGIN
Before 1
CVE-2024-2749
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-2441 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 allows direct access to menus, allowing an authenticated user with subscriber privileges or above, to bypass authorization and access settings of the VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's they shouldn't be allowed to.
PLUGIN
Before 1
CVE-2024-2441
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3692 - Before 1 Plugin
The Gutenverse WordPress plugin before 1.9.1 does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2024-3692
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3481 - Before 1 Plugin
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
PLUGIN
Before 1
CVE-2024-3481
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2908 - Before 1 Plugin
The Call Now Button WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-2908
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2404 - Before 1 Plugin
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2024-2404
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2402 - Before 1 Plugin
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-2402
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-2322 - Before 1 Plugin
The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2.27 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks.
PLUGIN
Before 1
CVE-2024-2322
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-2278 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-2278
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-1526 - Before 1 Plugin
The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag.
PLUGIN
Before 1
CVE-2024-1526
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2263 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2024-2263
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2262 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs
PLUGIN
Before 1
CVE-2024-2262
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0856 - Before 1 Plugin
The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.
PLUGIN
Before 1
CVE-2024-0856
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1401 - Before 1 Plugin
The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-1401
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2023-6821 - Before 1 Plugin
The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 is affected by a Directory Listing issue, allowing users to read and download PHP logs without authorization
PLUGIN
Before 1
CVE-2023-6821
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1658 - Before 1 Plugin
The Grid Shortcodes WordPress plugin before 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2024-1658
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-0559 - Before 1 Plugin
The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-0559
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-7202 - Before 1 Plugin
The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF
PLUGIN
Before 1
CVE-2023-7202
Risk Score