Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-13
CVE-2024-12767 - Before 2 Plugin
The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts
PLUGIN
Before 2
CVE-2024-12767
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-10362 - Before 2 Plugin
The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.9.1 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-10362
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-10149 - Before 2 Plugin
The Social Slider Feed WordPress plugin before 2.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-10149
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-10143 - Before 2 Plugin
The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-10143
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-10009 - Before 2 Plugin
The Melapress File Monitor WordPress plugin before 2.1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 2
CVE-2024-10009
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-10098 - Before 2 Plugin
The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain
PLUGIN
Before 2
CVE-2024-10098
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3742 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-3742
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3649 - Before 2 Plugin
The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2025-3649
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3597 - Before 2 Plugin
The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.
PLUGIN
Before 2
CVE-2025-3597
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-2162 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2025-2162
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13925 - Before 2 Plugin
The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.
PLUGIN
Before 2
CVE-2024-13925
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-13874 - Before 2 Plugin
The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2024-13874
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-2055 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-2055
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-1762 - Before 2 Plugin
The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 2
CVE-2025-1762
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-1452 - Before 2 Plugin
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2025-1452
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13118 - Before 2 Plugin
The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack
PLUGIN
Before 2
CVE-2024-13118
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-11503 - Before 2 Plugin
The WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11503
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11273 - Before 2 Plugin
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11273
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11272 - Before 2 Plugin
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11272
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10703 - Before 2 Plugin
The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-10703
Risk Score