Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2025-14803 - Before 9 Plugin
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.
PLUGIN
Before 9
CVE-2025-14803
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-11307 - Before 9 Plugin
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.
PLUGIN
Before 9
CVE-2025-11307
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-10679 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-10679
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-8968 - Before 9 Plugin
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-8968
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10555 - Before 9 Plugin
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-10555
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8758 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-8758
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-6879 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.
PLUGIN
Before 9
CVE-2024-6879
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-6390 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-6390
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3026 - Before 9 Plugin
The WordPress Button Plugin MaxButtons WordPress plugin before 9.7.8 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-3026
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6025 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-6025
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5606 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role
PLUGIN
Before 9
CVE-2024-5606
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4934 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 does not validate and escape some of its Quiz fields before outputting them back in a page/post where the Quiz is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-4934
Risk Score
Threat Entry
Updated 2025-04-14
CVE-2024-2101 - Before 9 Plugin
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the admin context.
PLUGIN
Before 9
CVE-2024-2101
Risk Score
Threat Entry
Updated 2025-04-14
CVE-2024-2102 - Before 9 Plugin
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.
PLUGIN
Before 9
CVE-2024-2102
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2023-6627 - Before 9 Plugin
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.28 does not properly protect most of its REST API routes, which attackers can abuse to store malicious HTML/Javascript on the site.
PLUGIN
Before 9
CVE-2023-6627
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2023-4620 - Before 9 Plugin
The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators
PLUGIN
Before 9
CVE-2023-4620
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2023-0937 - Before 9 Plugin
The VK All in One Expansion Unit WordPress plugin before 9.87.1.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 9
CVE-2023-0937
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0230 - Before 9 Plugin
The VK All in One Expansion Unit WordPress plugin before 9.86.0.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 9
CVE-2023-0230
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-0594 - Before 9 Plugin
The Professional Social Sharing Buttons, Icons & Related Posts WordPress plugin before 9.7.6 does not have proper authorisation check in one of the AJAX action, available to unauthenticated (in v < 9.7.5) and author+ (in v9.7.5) users, allowing them to call it and retrieve various information such as the list of active plugins, various version like PHP, cURL, WP etc.
PLUGIN
Before 9
CVE-2022-0594
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1967 - Before 9 Plugin
The WP Championship WordPress plugin before 9.3 is lacking CSRF checks in various places, allowing attackers to make a logged in admin perform unwanted actions, such as create and delete arbitrary teams as well as update the plugin's settings. Due to the lack of sanitisation and escaping, it could also lead to Stored Cross-Site Scripting issues
PLUGIN
Before 9
CVE-2022-1967
Risk Score