Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-06
CVE-2024-9883 - Before 3 Plugin
The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-9883
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-8444 - Before 3 Plugin
The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting.
PLUGIN
Before 3
CVE-2024-8444
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9796 - Before 3 Plugin
The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Before 3
CVE-2024-9796
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8379 - Before 3 Plugin
The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
PLUGIN
Before 3
CVE-2024-8379
Risk Score
Threat Entry
Updated 2024-10-03
CVE-2024-8536 - Before 3 Plugin
The Ultimate Blocks WordPress plugin before 3.2.2 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-8536
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8239 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.3 does not properly render social media profiles URLs in certain contexts, like the malicious user's profile or pages where the starbox shortcode is used, which may be abused by users with at least the contributor role to conduct Stored XSS attacks.
PLUGIN
Before 3
CVE-2024-8239
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-3163 - Before 3 Plugin
The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 3
CVE-2024-3163
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-7716 - Before 3 Plugin
The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7716
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-7955 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7955
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7354 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2024-7354
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7132 - Before 3 Plugin
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.13 does not escape the content of post embed via one of its block, which could allow users with the capability to publish posts (editor and admin by default) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-7132
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-5417 - Before 3 Plugin
The Gutentor WordPress plugin before 3.3.6 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-5417
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-6715 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
PLUGIN
Before 3
CVE-2024-6715
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6884 - Before 3 Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-6884
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-6710 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-6710
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-6536 - Before 3 Plugin
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-6536
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6366 - Before 3 Plugin
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
PLUGIN
Before 3
CVE-2024-6366
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6487 - Before 3 Plugin
The Inline Related Posts WordPress plugin before 3.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-6487
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-6362 - Before 3 Plugin
The Ultimate Blocks WordPress plugin before 3.2.0 does not validate and escape some of its post-grid block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-6362
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-4260 - Before 3 Plugin
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.12 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
PLUGIN
Before 3
CVE-2024-4260
Risk Score