Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-09
CVE-2024-10098 - Before 2 Plugin
The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain
PLUGIN
Before 2
CVE-2024-10098
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3742 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-3742
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3649 - Before 2 Plugin
The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2025-3649
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3597 - Before 2 Plugin
The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.
PLUGIN
Before 2
CVE-2025-3597
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-2162 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2025-2162
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13925 - Before 2 Plugin
The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.
PLUGIN
Before 2
CVE-2024-13925
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-13874 - Before 2 Plugin
The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2024-13874
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-2055 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-2055
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-1762 - Before 2 Plugin
The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 2
CVE-2025-1762
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-1452 - Before 2 Plugin
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2025-1452
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13118 - Before 2 Plugin
The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack
PLUGIN
Before 2
CVE-2024-13118
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-11503 - Before 2 Plugin
The WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11503
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11273 - Before 2 Plugin
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11273
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11272 - Before 2 Plugin
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11272
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10703 - Before 2 Plugin
The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-10703
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-10105 - Before 2 Plugin
The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-10105
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-13571 - Before 2 Plugin
The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 2
CVE-2024-13571
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13314 - Before 2 Plugin
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-13314
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-12163 - Before 2 Plugin
The goodlayers-core WordPress plugin before 2.1.3 allows users with a subscriber role and above to upload SVGs containing malicious payloads.
PLUGIN
Before 2
CVE-2024-12163
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-10309 - Before 2 Plugin
The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2024-10309
Risk Score