Threat Entry Updated 2025-04-02

CVE-2024-10105 - Before 2 Plugin

The Job Postings WordPress plugin before 2.7.11 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 2

CVE-2024-10105

MEDIUM CVSS 5.9 2025-03-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2024-13571 - Before 2 Plugin

The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 2

CVE-2024-13571

HIGH CVSS 7.1 2025-02-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-13314 - Before 2 Plugin

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 2

CVE-2024-13314

LOW CVSS 3.5 2025-02-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-09

CVE-2024-12163 - Before 2 Plugin

The goodlayers-core WordPress plugin before 2.1.3 allows users with a subscriber role and above to upload SVGs containing malicious payloads.

PLUGIN Before 2

CVE-2024-12163

MEDIUM CVSS 6.5 2025-01-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-11

CVE-2024-10309 - Before 2 Plugin

The Tracking Code Manager WordPress plugin before 2.4.0 does not sanitise and escape some of its metabox settings when outputing them in the page, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2024-10309

MEDIUM CVSS 5.9 2025-01-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-14

CVE-2024-12585 - Before 2 Plugin

The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 2

CVE-2024-12585

MEDIUM CVSS 6.1 2025-01-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-14

CVE-2024-10151 - Before 2 Plugin

The Auto iFrame WordPress plugin before 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2024-10151

MEDIUM CVSS 5.4 2025-01-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-05

CVE-2024-11357 - Before 2 Plugin

The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2024-11357

MEDIUM CVSS 5.9 2025-01-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-14

CVE-2024-10903 - Before 2 Plugin

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.

PLUGIN Before 2

CVE-2024-10903

MEDIUM CVSS 4.7 2024-12-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-9641 - Before 2 Plugin

The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 2

CVE-2024-9641

MEDIUM CVSS 4.8 2024-12-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-10499 - Before 2 Plugin

The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks

PLUGIN Before 2

CVE-2024-10499

HIGH CVSS 7.2 2024-12-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-11107 - Before 2 Plugin

The System Dashboard WordPress plugin before 2.8.15 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2024-11107

MEDIUM CVSS 6.1 2024-12-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-10708 - Before 2 Plugin

The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server

PLUGIN Before 2

CVE-2024-10708

MEDIUM CVSS 4.9 2024-12-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-06

CVE-2024-11183 - Before 2 Plugin

The Simple Side Tab WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 2

CVE-2024-11183

MEDIUM CVSS 4.8 2024-12-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-10480 - Before 2 Plugin

The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PLUGIN Before 2

CVE-2024-10480

MEDIUM CVSS 4.3 2024-12-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-04-11

CVE-2024-10104 - Before 2 Plugin

The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2024-10104

MEDIUM CVSS 5.9 2024-11-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-15

CVE-2024-7982 - Before 2 Plugin

The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2024-7982

CRITICAL CVSS 9.6 2024-11-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-8378 - Before 2 Plugin

The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.

PLUGIN Before 2

CVE-2024-8378

MEDIUM CVSS 4.8 2024-11-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-10-24

CVE-2024-8625 - Before 2 Plugin

The TS Poll WordPress plugin before 2.4.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

PLUGIN Before 2

CVE-2024-8625

HIGH CVSS 7.2 2024-10-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-09-30

CVE-2024-8983 - Before 2 Plugin

Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 2

CVE-2024-8983

MEDIUM CVSS 4.8 2024-10-08

Risk Score

Open Full Technical Breakdown