Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-05
CVE-2025-13820 - Before 7 Plugin
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
PLUGIN
Before 7
CVE-2025-13820
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9487 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads
PLUGIN
Before 7
CVE-2025-9487
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-9111 - Before 7 Plugin
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 7
CVE-2025-9111
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-7758 - Before 7 Plugin
The Stylish Price List WordPress plugin before 7.1.8 does not sanitise and escape some of its settings, which could allow high privilege users of contributor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 7
CVE-2024-7758
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13688 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request
PLUGIN
Before 7
CVE-2024-13688
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10472 - Before 7 Plugin
The Stylish Price List WordPress plugin before 7.1.12 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 7
CVE-2024-10472
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2025-1232 - Before 7 Plugin
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
PLUGIN
Before 7
CVE-2025-1232
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13685 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate their value to bypass the login limit feature in the Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10.
PLUGIN
Before 7
CVE-2024-13685
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-3635 - Before 7 Plugin
The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 7
CVE-2024-3635
Risk Score
Threat Entry
Updated 2025-06-13
CVE-2024-6766 - Before 7 Plugin
The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 7
CVE-2024-6766
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-4217 - Before 7 Plugin
The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, making it possible for attackers with a Contributor account to conduct Stored XSS attacks.
PLUGIN
Before 7
CVE-2024-4217
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-5488 - Before 7 Plugin
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
PLUGIN
Before 7
CVE-2024-5488
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4900 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post
PLUGIN
Before 7
CVE-2024-4900
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4899 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 7
CVE-2024-4899
Risk Score
Threat Entry
Updated 2025-03-17
CVE-2024-3032 - Before 7 Plugin
Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
PLUGIN
Before 7
CVE-2024-3032
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3050 - Before 7 Plugin
The Site Reviews WordPress plugin before 7.0.0 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based blocking
PLUGIN
Before 7
CVE-2024-3050
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-3548 - Before 7 Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 7
CVE-2024-3548
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-3188 - Before 7 Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 7
CVE-2024-3188
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-2907 - Before 7 Plugin
The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 7
CVE-2024-2907
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2836 - Before 7 Plugin
The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.64 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 7
CVE-2024-2836
Risk Score