Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-14
CVE-2024-9638 - Before 4 Plugin
The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9638
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10939 - Before 4 Plugin
The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10939
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-9881 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9881
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-9428 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9428
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10518 - Before 4 Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10518
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10517 - Before 4 Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10517
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10568 - Before 4 Plugin
The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10568
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10010 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10010
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10896 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo and Slider settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting
PLUGIN
Before 4
CVE-2024-10896
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10473 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo Settings when outputing them in pages where the Logo Slider shortcode is embed, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2024-10473
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-9422 - Before 4 Plugin
The GEO my WP WordPress plugin before 4.5, gmw-premium-settings WordPress plugin before 3.1 does not sufficiently validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
PLUGIN
Before 4
CVE-2024-9422
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-7879 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 4
CVE-2024-7879
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-5429 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.1.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-5429
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-9021 - Before 4 Plugin
In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor
PLUGIN
Before 4
CVE-2024-9021
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7878 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-7878
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6792 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.2.1 does not properly sanitize user display names when rendering on a public page.
PLUGIN
Before 4
CVE-2024-6792
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7786 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
PLUGIN
Before 4
CVE-2024-7786
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6889 - Before 4 Plugin
The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-6889
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6888 - Before 4 Plugin
The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-6888
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6330 - Before 4 Plugin
The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution.
PLUGIN
Before 4
CVE-2024-6330
Risk Score