Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-14
CVE-2026-4338 - Before 8 Plugin
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
PLUGIN
Before 8
CVE-2026-4338
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-3582 - Before 8 Plugin
The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3582
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-3581 - Before 8 Plugin
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3581
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3584 - Before 8 Plugin
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3584
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4133 - Before 8 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.
PLUGIN
Before 8
CVE-2025-4133
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4094 - Before 8 Plugin
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.
PLUGIN
Before 8
CVE-2025-4094
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-13619 - Before 8 Plugin
The LifterLMS WordPress plugin before 8.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 8
CVE-2024-13619
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-5529 - Before 8 Plugin
The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 8
CVE-2023-5529
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3583 - Before 8 Plugin
The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3583
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6133 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 8
CVE-2024-6133
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6136 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Before 8
CVE-2024-6136
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6134 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 8
CVE-2024-6134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6075 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Before 8
CVE-2024-6075
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6076 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 8
CVE-2024-6076
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6074 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 8
CVE-2024-6074
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6073 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 8
CVE-2024-6073
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6072 - Before 8 Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 8
CVE-2024-6072
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2024-4094 - Before 8 Plugin
The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 8
CVE-2024-4094
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3591 - Before 8 Plugin
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Before 8
CVE-2024-3591
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-1310 - Before 8 Plugin
The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
PLUGIN
Before 8
CVE-2024-1310
Risk Score