Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-3201 - WordPress Core
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pp_link' shortcode in all versions up to, and including, 3.1.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CORE
WordPress Core
CVE-2024-3201
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32692 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 6.9.
CORE
WordPress Core
CVE-2024-32692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31290 - WordPress Core
Improper Privilege Management vulnerability in CodeRevolution Demo My WordPress allows Privilege Escalation.This issue affects Demo My WordPress: from n/a through 1.0.9.1.
CORE
WordPress Core
CVE-2024-31290
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-22139 - WordPress Core
Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6.
CORE
WordPress Core
CVE-2024-22139
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34420 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in talspotim Comments Evolved for WordPress allows Stored XSS.This issue affects Comments Evolved for WordPress: from n/a through 1.6.3.
CORE
WordPress Core
CVE-2024-34420
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34418 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tech9logy Creators WPCS ( WordPress Custom Search ) allows Stored XSS.This issue affects WPCS ( WordPress Custom Search ): from n/a through 1.1.
CORE
WordPress Core
CVE-2024-34418
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32700 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Kognetiks Kognetiks Chatbot for WordPress.This issue affects Kognetiks Chatbot for WordPress: from n/a through 2.0.0.
CORE
WordPress Core
CVE-2024-32700
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34573 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pootlepress Pootle Pagebuilder – WordPress Page builder allows Stored XSS.This issue affects Pootle Pagebuilder – WordPress Page builder: from n/a through 5.7.1.
CORE
WordPress Core
CVE-2024-34573
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33931 - WordPress Core
Missing Authorization vulnerability in ilGhera JW Player for WordPress.This issue affects JW Player for WordPress: from n/a through 2.3.3.
CORE
WordPress Core
CVE-2024-33931
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33937 - WordPress Core
Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through 2.1.13.
CORE
WordPress Core
CVE-2024-33937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33941 - WordPress Core
Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through 1.8.1.
CORE
WordPress Core
CVE-2024-33941
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2024-4439 - WordPress Core
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
CORE
WordPress Core
CVE-2024-4439
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5692 - WordPress Core
WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
CORE
WordPress Core
CVE-2023-5692
Risk Score
Threat Entry
Updated 2026-01-07
CVE-2024-31210 - WordPress Core
WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on…
CORE
WordPress Core
CVE-2024-31210
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2024-31211 - WordPress Core
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
CORE
WordPress Core
CVE-2024-31211
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2024-28850 - WordPress Core
WP Crontrol controls the cron events on WordPress websites. WP Crontrol includes a feature that allows administrative users to create events in the WP-Cron system that store and execute PHP code subject to the restrictive security permissions documented here. While there is no known vulnerability in this feature on its own, there exists potential for this feature to be vulnerable to RCE if it were specifically targeted via vulnerability chaining that exploited a separate SQLi (or similar) vulnerability. This is exploitable on a site if one of the below preconditions…
CORE
WordPress Core
CVE-2024-28850
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-5561 - WordPress Core
WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack
CORE
WordPress Core
CVE-2023-5561
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-39999 - WordPress Core
Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from…
CORE
WordPress Core
CVE-2023-39999
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-38000 - WordPress Core
Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin
CORE
WordPress Core
CVE-2023-38000
Risk Score
Threat Entry
Updated 2025-04-24
CVE-2023-2745 - WordPress Core
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
CORE
WordPress Core
CVE-2023-2745
Risk Score