Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-09
CVE-2025-8085 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
PLUGIN
Before 3
CVE-2025-8085
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-3745 - Before 3 Plugin
The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks.
PLUGIN
Before 3
CVE-2025-3745
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3662 - Before 3 Plugin
The FancyBox for WordPress plugin before 3.3.6 does not escape captions and titles attributes before using them to populate galleries' caption fields. The issue was received as a Contributor+ Stored XSS, however one of our researcher (Marc Montpas) escalated it to an Unauthenticated Stored XSS
PLUGIN
Before 3
CVE-2025-3662
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-4567 - Before 3 Plugin
The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2025-4567
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2561 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-2561
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2560 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-2560
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2524 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-2524
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2203 - Before 3 Plugin
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-2203
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9831 - Before 3 Plugin
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2024-9831
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-9233 - Before 3 Plugin
The Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 3
CVE-2024-9233
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8759 - Before 3 Plugin
The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-8759
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8542 - Before 3 Plugin
The Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-8542
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8284 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2024-8284
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-8187 - Before 3 Plugin
The Smart Post Show WordPress plugin before 3.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-8187
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-6708 - Before 3 Plugin
The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-6708
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-6478 - Before 3 Plugin
The CTT Expresso para WooCommerce WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-6478
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-4665 - Before 3 Plugin
The EventPrime WordPress plugin before 3.5.0 does not properly validate permissions when updating bookings, allowing users to change/cancel bookings for other users. Additionally, the feature is lacking a nonce.
PLUGIN
Before 3
CVE-2024-4665
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-3062 - Before 3 Plugin
The Save as Image Plugin by Pdfcrowd WordPress plugin before 3.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-3062
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-2869 - Before 3 Plugin
The Easy Property Listings WordPress plugin before 3.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-2869
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-13486 - Before 3 Plugin
The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-13486
Risk Score