Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1369 - Through 4 Plugin
The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
PLUGIN
Through 4
CVE-2026-1369
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-13070 - Through 4 Plugin
The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.
PLUGIN
Through 4
CVE-2025-13070
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-3650 - Through 4 Plugin
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
PLUGIN
Through 4
CVE-2025-3650
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8702 - Through 4 Plugin
The Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 4
CVE-2024-8702
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-13865 - Through 4 Plugin
The S3Player WordPress plugin through 4.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Through 4
CVE-2024-13865
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-11190 - Through 4 Plugin
The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 4
CVE-2024-11190
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13853 - Through 4 Plugin
The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Through 4
CVE-2024-13853
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13221 - Through 4 Plugin
The Fantastic ElasticSearch WordPress plugin through 4.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 4
CVE-2024-13221
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-13112 - Through 4 Plugin
The WP MediaTagger WordPress plugin through 4.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 4
CVE-2024-13112
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-13101 - Through 4 Plugin
The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Through 4
CVE-2024-13101
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-4096 - Through 4 Plugin
The Responsive Tabs WordPress plugin through 4.0.8 does not sanitise and escape some of its Tab settings, which could allow high privilege users such as Contributors and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Through 4
CVE-2024-4096
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2024-0756 - Through 4 Plugin
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 lacks validation of URLs when adding iframes, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page.
PLUGIN
Through 4
CVE-2024-0756
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-0757 - Through 4 Plugin
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
PLUGIN
Through 4
CVE-2024-0757
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-2220 - Through 4 Plugin
The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Through 4
CVE-2024-2220
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3749 - Through 4 Plugin
The SP Project & Document Manager WordPress plugin through 4.71 lacks proper access controllers and allows a logged in user to view and download files belonging to another user
PLUGIN
Through 4
CVE-2024-3749
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3748 - Through 4 Plugin
The SP Project & Document Manager WordPress plugin through 4.71 is missing validation in its upload function, allowing a user to manipulate the `user_id` to make it appear that a file was uploaded by another user
PLUGIN
Through 4
CVE-2024-3748
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2024-0237 - Through 4 Plugin
The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc
PLUGIN
Through 4
CVE-2024-0237
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1982 - Through 4 Plugin
The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Through 4
CVE-2023-1982
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0551 - Through 4 Plugin
The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments
PLUGIN
Through 4
CVE-2023-0551
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-0277 - Through 4 Plugin
The WC Fields Factory WordPress plugin through 4.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
PLUGIN
Through 4
CVE-2023-0277
Risk Score