Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-08
CVE-2024-12567 - Before 5 Plugin
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-12567
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-12566 - Before 5 Plugin
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-12566
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-11636 - Before 5 Plugin
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Text Block options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-11636
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-12311 - Before 5 Plugin
The Email Subscribers by Icegram Express WordPress plugin before 5.7.44 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 5
CVE-2024-12311
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11356 - Before 5 Plugin
The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2024-11356
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-9651 - Before 5 Plugin
The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-9651
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10980 - Before 5 Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its Cookie Consent block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2024-10980
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10493 - Before 5 Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2024-10493
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-10103 - Before 5 Plugin
In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
PLUGIN
Before 5
CVE-2024-10103
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6724 - Before 5 Plugin
The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 5
CVE-2024-6724
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2024-6420 - Before 5 Plugin
The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
PLUGIN
Before 5
CVE-2024-6420
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4704 - Before 5 Plugin
The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing.
PLUGIN
Before 5
CVE-2024-4704
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3478 - Before 5 Plugin
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks
PLUGIN
Before 5
CVE-2024-3478
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3472 - Before 5 Plugin
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Before 5
CVE-2024-3472
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-2309 - Before 5 Plugin
The WP STAGING WordPress Backup Plugin WordPress plugin before 3.4.0, wp-staging-pro WordPress plugin before 5.4.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 5
CVE-2024-2309
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-1204 - Before 5 Plugin
The Meta Box WordPress plugin before 5.9.4 does not prevent users with at least the contributor role from access arbitrary custom fields assigned to other user's posts.
PLUGIN
Before 5
CVE-2024-1204
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1331 - Before 5 Plugin
The Team Members WordPress plugin before 5.3.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2024-1331
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1333 - Before 5 Plugin
The Responsive Pricing Table WordPress plugin before 5.1.11 does not validate and escape some of its Pricing Table options before outputting them back in a page/post where the related shortcode is embed, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 5
CVE-2024-1333
Risk Score
Threat Entry
Updated 2025-06-27
CVE-2024-1316 - Before 5 Plugin
The Event Tickets and Registration WordPress plugin before 5.8.1, Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the existence of certain events they shouldn't have access to. (e.g. draft, private, pending review, pw-protected, and trashed events).
PLUGIN
Before 5
CVE-2024-1316
Risk Score
Threat Entry
Updated 2025-04-24
CVE-2024-1319 - Before 5 Plugin
The Events Tickets Plus WordPress plugin before 5.9.1 does not prevent users with at least the contributor role from leaking the attendees list on any post type regardless of status. (e.g. draft, private, pending review, password-protected, and trashed posts).
PLUGIN
Before 5
CVE-2024-1319
Risk Score