Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-10
CVE-2024-3703 - Before 2 Plugin
The Carousel Slider WordPress plugin before 2.2.10 does not validate and escape some of its Slide options before outputting them back in the page/post where the related Slide shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2024-3703
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3477 - Before 2 Plugin
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks
PLUGIN
Before 2
CVE-2024-3477
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-1905 - Before 2 Plugin
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-1905
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2023-7253 - Before 2 Plugin
The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
PLUGIN
Before 2
CVE-2023-7253
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2729 - Before 2 Plugin
The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2024-2729
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2118 - Before 2 Plugin
The Social Media Share Buttons & Social Sharing Icons WordPress plugin before 2.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-2118
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-0868 - Before 2 Plugin
The coreActivity: Activity Logging plugin for WordPress plugin before 2.1 retrieved IP addresses of requests via headers such X-FORWARDED to log them, allowing users to spoof them by providing an arbitrary value
PLUGIN
Before 2
CVE-2024-0868
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-1307 - Before 2 Plugin
The Smart Forms WordPress plugin before 2.6.94 does not have proper authorization in some actions, which could allow users with a role as low as a subscriber to call them and perform unauthorized actions
PLUGIN
Before 2
CVE-2024-1307
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2023-7201 - Before 2 Plugin
The Everest Backup WordPress plugin before 2.2.5 does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-7201
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-1746 - Before 2 Plugin
The Testimonial Slider WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-1746
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-1306 - Before 2 Plugin
The Smart Forms WordPress plugin before 2.6.94 does not have CSRF checks in some places, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as editing entries, and we consider it a medium risk.
PLUGIN
Before 2
CVE-2024-1306
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-1712 - Before 2 Plugin
The Carousel Slider WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-1712
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2024-0881 - Before 2 Plugin
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not have proper authorization, resulting in password protected posts to be displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts
PLUGIN
Before 2
CVE-2024-0881
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2428 - Before 2 Plugin
The Ultimate Video Player For WordPress WordPress plugin before 2.2.3 does not have proper capability check when updating its settings via a REST route, allowing Contributor and above users to update them. Furthermore, due to the lack of escaping in one of the settings, this also allows them to perform Stored XSS attacks
PLUGIN
Before 2
CVE-2024-2428
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-1664 - Before 2 Plugin
The Responsive Gallery Grid WordPress plugin before 2.3.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-1664
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1956 - Before 2 Plugin
The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2024-1956
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1958 - Before 2 Plugin
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
PLUGIN
Before 2
CVE-2024-1958
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1292 - Before 2 Plugin
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2024-1292
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-1745 - Before 2 Plugin
The Testimonial Slider WordPress plugin before 2.3.7 does not properly ensure that a user has the necessary capabilities to edit certain sensitive Testimonial Slider WordPress plugin before 2.3.7 settings, making it possible for users with at least the Author role to edit them.
PLUGIN
Before 2
CVE-2024-1745
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-1962 - Before 2 Plugin
The CM Download Manager WordPress plugin before 2.9.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack
PLUGIN
Before 2
CVE-2024-1962
Risk Score