Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-27
CVE-2025-2635 - Digital License Manager Plugin
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Digital License Manager
CVE-2025-2635
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2510 - Frndzk Expandable Bottom Bar Plugin
The Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Frndzk Expandable Bottom Bar
CVE-2025-2510
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13731 - Alert Box Block Plugin
The Alert Box Block – Display notice/alerts in the front end. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert Box block in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Alert Box Block
CVE-2024-13731
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13710 - Estatebud Properties Listings Plugin
The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Estatebud Properties Listings
CVE-2024-13710
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2252 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
PLUGIN
Easy Digital Downloads
CVE-2025-2252
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-1320 - Teachpress Plugin
The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Teachpress
CVE-2025-1320
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-12623 - Dicom Support Plugin
The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dicom Support
CVE-2024-12623
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2224 - Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
PLUGIN
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
CVE-2025-2224
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-0845 - DesignThemes Core Features
The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
DesignThemes Core Features
CVE-2025-0845
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-9770 - Before 16 Plugin
The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 16
CVE-2024-9770
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13118 - Ip Based Login Plugin
The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack
PLUGIN
Ip Based Login
CVE-2024-13118
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-12682 - Smart Maintenance Mode Plugin
The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Smart Maintenance Mode
CVE-2024-12682
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-11503 - Before 2 Plugin
The WP Tabs WordPress plugin before 2.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-11503
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11273 - Smtp Plugin For Wordpress By Pirateforms
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Smtp Plugin For Wordpress By Pirateforms
CVE-2024-11273
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-11272 - Smtp Plugin For Wordpress By Pirateforms
The Contact Form & SMTP Plugin for WordPress by PirateForms WordPress plugin before 2.6.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Smtp Plugin For Wordpress By Pirateforms
CVE-2024-11272
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10703 - Registrations For The Events Calendar Plugin
The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Registrations For The Events Calendar
CVE-2024-10703
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-10679 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-10679
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-10566 - Slider By 10web Plugin
The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Slider By 10web
CVE-2024-10566
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-10565 - Slider By 10web Plugin
The Slider by 10Web WordPress plugin before 1.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Slider By 10web
CVE-2024-10565
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-12109 - Before 1 Plugin
The Product Labels For Woocommerce (Sale Badges) WordPress plugin before 1.5.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 1
CVE-2024-12109
Risk Score