Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-08
CVE-2024-3475 - Before 3 Plugin
The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Before 3
CVE-2024-3475
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3471 - Before 3 Plugin
The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack
PLUGIN
Before 3
CVE-2024-3471
Risk Score
Threat Entry
Updated 2025-04-14
CVE-2024-2837 - Before 3 Plugin
The WP Chat App WordPress plugin before 3.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2024-2837
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2159 - Before 3 Plugin
The Social Sharing Plugin WordPress plugin before 3.3.61 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-2159
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3261 - Before 3 Plugin
The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed
PLUGIN
Before 3
CVE-2024-3261
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2972 - Before 3 Plugin
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-2972
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2023-7252 - Before 3 Plugin
The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets.
PLUGIN
Before 3
CVE-2023-7252
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-2761 - Before 3 Plugin
The Genesis Blocks WordPress plugin before 3.1.3 does not properly escape data input provided to some of its blocks, allowing using with at least contributor privileges to conduct Stored XSS attacks.
PLUGIN
Before 3
CVE-2024-2761
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-2309 - Before 3 Plugin
The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-2309
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-1849 - Before 3 Plugin
The WP Customer Reviews WordPress plugin before 3.7.1 does not validate a parameter allowing contributor and above users to redirect a page to a malicious URL
PLUGIN
Before 3
CVE-2024-1849
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-1660 - Before 3 Plugin
The Top Bar WordPress plugin before 3.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-1660
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2023-6257 - Before 3 Plugin
The Inline Related Posts WordPress plugin before 3.6.0 is missing authorization in an AJAX action to ensure that users are allowed to see the content of the posts displayed, allowing any authenticated user, such as subscriber to retrieve the content of password protected posts
PLUGIN
Before 3
CVE-2023-6257
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2444 - Before 3 Plugin
The Inline Related Posts WordPress plugin before 3.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2024-2444
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2509 - Before 3 Plugin
The Gutenberg Blocks by Kadence Blocks WordPress plugin before 3.2.26 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-2509
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-1274 - Before 3 Plugin
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
PLUGIN
Before 3
CVE-2024-1274
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2369 - Before 3 Plugin
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-2369
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-1273 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-1273
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-6444 - Before 3 Plugin
The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request.
PLUGIN
Before 3
CVE-2023-6444
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2023-6036 - Before 3 Plugin
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Before 3
CVE-2023-6036
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-6165 - Before 3 Plugin
The Restrict Usernames Emails Characters WordPress plugin before 3.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 3
CVE-2023-6165
Risk Score