Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5964 - Zenon Lite Theme
The Zenon Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Zenon Lite
CVE-2024-5964
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2234 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks
THEME
Before 2
CVE-2024-2234
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2235 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack
THEME
Before 2
CVE-2024-2235
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2233 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group
THEME
Before 2
CVE-2024-2233
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2040 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack
THEME
Before 2
CVE-2024-2040
Risk Score
Threat Entry
Updated 2024-12-26
CVE-2024-5938 - Boot Store Theme
The Boot Store theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Boot Store
CVE-2024-5938
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-39310 - Basil Recipe Theme
The Basil recipe theme for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `post_title` parameter in versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. Because the of the default WordPress validation, it is not possible to insert the payload directly but if the Cooked plugin is installed, it is possible to create a recipe post…
THEME
Basil Recipe
CVE-2024-39310
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4017 - Goya Theme
The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
Goya
CVE-2023-4017
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5925 - Theron Lite Theme
The Theron Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Theron Lite
CVE-2024-5925
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5922 - Scylla Lite Theme
The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Scylla Lite
CVE-2024-5922
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5796 - Infinite Theme
The Infinite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘project_url’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Infinite
CVE-2024-5796
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5788 - Silesia Theme
The Silesia theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ attribute within the theme's Button shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Silesia
CVE-2024-5788
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6283 - Dethemekit For Elementor
The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link.
THEME
Dethemekit For Elementor
CVE-2024-6283
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5451 - Website And Ecommerce Builder For Wordpress Theme
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Website And Ecommerce Builder For Wordpress
CVE-2024-5451
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5966 - Grey Opaque Theme
The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Grey Opaque
CVE-2024-5966
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5965 - Mosaic Theme
The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Mosaic
CVE-2024-5965
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5346 - Flatsome Theme
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Flatsome
CVE-2024-5346
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3610 - Wp Child Theme Generator
The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen.
THEME
Wp Child Theme Generator
CVE-2024-3610
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5156 - Flatsome Theme
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Flatsome
CVE-2024-5156
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3204 - Materialis Theme
The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value.
THEME
Materialis
CVE-2023-3204
Risk Score