Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-15
CVE-2024-12878 - Before 3 Plugin
The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2024-12878
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10545 - Before 3 Plugin
The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.9 does not sanitise and escape some of its Image settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-10545
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-12173 - Before 3 Plugin
The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-12173
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13125 - Before 3 Plugin
The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-13125
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10102 - Before 3 Plugin
The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-10102
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-12302 - Before 3 Plugin
The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-12302
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11849 - Before 3 Plugin
The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-11849
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11921 - Before 3 Plugin
The GiveWP WordPress plugin before 3.19.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2024-11921
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2024-10706 - Before 3 Plugin
The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-10706
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10892 - Before 3 Plugin
The Cost Calculator Builder WordPress plugin before 3.2.43 does not have CSRF checks in some AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks.
PLUGIN
Before 3
CVE-2024-10892
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-10678 - Before 3 Plugin
The Ultimate Blocks WordPress plugin before 3.2.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-10678
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10637 - Before 3 Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-10637
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10471 - Before 3 Plugin
The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-10471
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-6393 - Before 3 Plugin
The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-6393
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-9422 - Before 3 Plugin
The GEO my WP WordPress plugin before 4.5, gmw-premium-settings WordPress plugin before 3.1 does not sufficiently validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
PLUGIN
Before 3
CVE-2024-9422
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-9828 - Before 3 Plugin
The Taskbuilder WordPress plugin before 3.0.5 does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks
PLUGIN
Before 3
CVE-2024-9828
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9600 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-9600
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9186 - Before 3 Plugin
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Before 3
CVE-2024-9186
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9836 - Before 3 Plugin
The RSS Feed Widget WordPress plugin before 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-9836
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9835 - Before 3 Plugin
The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 3
CVE-2024-9835
Risk Score