Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-27
CVE-2024-6158 - Before 4 Plugin
The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-6158
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6494 - Before 4 Plugin
The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.
PLUGIN
Before 4
CVE-2024-6494
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-7084 - Before 4 Plugin
The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2024-7084
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6651 - Before 4 Plugin
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2024-6651
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-5595 - Before 4 Plugin
The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-5595
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6094 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-6094
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5630 - Before 4 Plugin
The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
PLUGIN
Before 4
CVE-2024-5630
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-5644 - Before 4 Plugin
The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-5644
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-5627 - Before 4 Plugin
The Tournamatch WordPress plugin before 4.6.1 does not sanitise and escape some parameters, which could allow users with a role as low as subscriber to perform Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2024-5627
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-5151 - Before 4 Plugin
The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-5151
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2024-5034 - Before 4 Plugin
The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Before 4
CVE-2024-5034
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2024-5033 - Before 4 Plugin
The SULly WordPress plugin before 4.3.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Before 4
CVE-2024-5033
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2024-5032 - Before 4 Plugin
The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2024-5032
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-0974 - Before 4 Plugin
The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-0974
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6138 - Before 4 Plugin
The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-6138
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-4305 - Before 4 Plugin
The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-4305
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3288 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.0.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-3288
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-4061 - Before 4 Plugin
The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-4061
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-2189 - Before 4 Plugin
The Social Icons Widget & Block by WPZOOM WordPress plugin before 4.2.18 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-2189
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3368 - Before 4 Plugin
The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-3368
Risk Score