Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-21
CVE-2024-5091 - Skt Addons For Elementor Plugin
The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Age Gate and Creative Slider widgets in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Skt Addons For Elementor
CVE-2024-5091
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-3668 - Powerpack Addons For Elementor Plugin
The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator.
PLUGIN
Powerpack Addons For Elementor
CVE-2024-3668
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5599 - Fileorganizer Plugin
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizer_ajax_handler' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.
PLUGIN
Fileorganizer
CVE-2024-5599
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5542 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Navigation Menu widget of the plugin's Mega Menu extension in all versions up to, and including, 2.0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-5542
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5637 - Market Exporter Plugin
The Market Exporter plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_files' function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use path traversal to delete arbitrary files on the server.
PLUGIN
Market Exporter
CVE-2024-5637
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4902 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor Lms
CVE-2024-4902
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4887 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 1.7.2 via the 'behavior' attributes found in the qi_addons_for_elementor_blog_list shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, resulting in code execution. Please note that this requires an attacker to create a non-existent directory or target an instance where file_exists won't return false with a non-existent directory in the path, in order to successfully exploit.
PLUGIN
Qi Addons For Elementor
CVE-2024-4887
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5329 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Unlimited Elements For Elementor
CVE-2024-5329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5324 - Otp Login Woocommerce Gravity Forms Plugin
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
PLUGIN
Otp Login Woocommerce Gravity Forms
CVE-2024-5324
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5179 - Cowidgets Elementor Addons Plugin
The Cowidgets – Elementor Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'item_style' and 'style' parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Cowidgets Elementor Addons
CVE-2024-5179
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6968 - The Moneytizer Plugin
The The Moneytizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.5.20. This is due to missing or incorrect nonce validation on multiple AJAX functions. This makes it possible for unauthenticated attackers to to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
The Moneytizer
CVE-2023-6968
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6966 - The Moneytizer Plugin
The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.5.20. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions.
PLUGIN
The Moneytizer
CVE-2023-6966
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-3667 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' field of multiple widgets in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brizy
CVE-2024-3667
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-2087 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form name values in all versions up to, and including, 2.4.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brizy
CVE-2024-2087
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1940 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post content in all versions up to, and including, 2.4.41 due to insufficient input sanitization performed only on the client side and insufficient output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brizy
CVE-2024-1940
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-4856 - Fs Product Inquiry Plugin
The FS Product Inquiry WordPress plugin through 1.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
PLUGIN
Fs Product Inquiry
CVE-2024-4856
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-4749 - Before 10 Plugin
The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 10
CVE-2024-4749
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3555 - Social Link Pages Plugin
The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_link_pages() function in all versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to inject arbitrary pages and malicious web scripts.
PLUGIN
Social Link Pages
CVE-2024-3555
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2019 - Wp Db Table Editor Plugin
The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit.
PLUGIN
Wp Db Table Editor
CVE-2024-2019
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4870 - Frontend Registration Contact Form 7 Plugin
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.
PLUGIN
Frontend Registration Contact Form 7
CVE-2024-4870
Risk Score