Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-0929 - Before 6 Plugin
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site.
PLUGIN
Before 6
CVE-2026-0929
Risk Score
Threat Entry
Updated 2026-02-13
CVE-2025-15520 - Before 6 Plugin
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.
PLUGIN
Before 6
CVE-2025-15520
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14579 - Before 6 Plugin
The Quiz Maker WordPress plugin before 6.7.0.89 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2025-14579
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9698 - Before 6 Plugin
The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 6
CVE-2025-9698
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-5034 - Before 6 Plugin
The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Before 6
CVE-2025-5034
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9838 - Before 6 Plugin
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 6
CVE-2024-9838
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-0329 - Before 6 Plugin
The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2025-0329
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-9390 - Before 6 Plugin
The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2024-9390
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8617 - Before 6 Plugin
The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 6
CVE-2024-8617
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8493 - Before 6 Plugin
The Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2024-8493
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13610 - Before 6 Plugin
The Simple Social Media Share Buttons WordPress plugin before 6.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2024-13610
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13207 - Before 6 Plugin
The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2024-13207
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-11638 - Before 6 Plugin
The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.
PLUGIN
Before 6
CVE-2024-11638
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10483 - Before 6 Plugin
The Simple:Press Forum WordPress plugin before 6.10.11 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 6
CVE-2024-10483
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-5333 - Before 6 Plugin
The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.
PLUGIN
Before 6
CVE-2024-5333
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-9768 - Before 6 Plugin
The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 6
CVE-2024-9768
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-9529 - Before 6 Plugin
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.
PLUGIN
Before 6
CVE-2024-9529
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10146 - Before 6 Plugin
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
PLUGIN
Before 6
CVE-2024-10146
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2024-5285 - Before 6 Plugin
The wp-affiliate-platform WordPress plugin before 6.5.2 does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack
PLUGIN
Before 6
CVE-2024-5285
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6205 - Before 6 Plugin
The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.
PLUGIN
Before 6
CVE-2024-6205
Risk Score