Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-19
CVE-2024-13589 - Jma Youtube Playlists With Schema Plugin
The YouTube Playlists with Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yt_grid' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jma Youtube Playlists With Schema
CVE-2024-13589
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13462 - Wp Wiki Tooltip Plugin
The WP Wiki Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wiki' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Wiki Tooltip
CVE-2024-13462
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13405 - Apptivo Business Site Plugin
The Apptivo Business Site CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation on the 'awp_ip_deny' page. This makes it possible for unauthenticated attackers to block IP addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Apptivo Business Site
CVE-2024-13405
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13390 - Admin Form Plugin
The ADFO – Custom data in admin dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adfo_list' shortcode in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Admin Form
CVE-2024-13390
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-12522 - And Quizzes Easily Plugin
The Yay! Forms | Embed Custom Forms, Surveys, and Quizzes Easily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yayforms' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
And Quizzes Easily
CVE-2024-12522
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-11778 - Embedded Cdn Plugin
The CanadaHelps Embedded Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedcdn' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedded Cdn
CVE-2024-11778
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-12339 - Wedesin Html Sitemap Plugin
The Digihood HTML Sitemap plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘channel' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wedesin Html Sitemap
CVE-2024-12339
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-12069 - Lexicata Plugin
The Lexicata plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.
PLUGIN
Lexicata
CVE-2024-12069
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-11753 - Umich Oidc Login Plugin
The UMich OIDC Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'umich_oidc_button' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Umich Oidc Login
CVE-2024-11753
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-11335 - Ultraembed Advanced Iframe Plugin
The UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframe' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultraembed Advanced Iframe
CVE-2024-11335
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2025-1065 - Visualizer: Tables and Charts Manager for WordPress Theme
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Visualizer: Tables and Charts Manager for WordPress
CVE-2025-1065
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13799 - Download Manager With Secure File Sharing Plugin
The User Private Files – File Upload & Download Manager with Secure File Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘new-fldr-name’ parameter in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Download Manager With Secure File Sharing
CVE-2024-13799
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1441 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. This is due to missing or incorrect nonce validation on the 'wpr_filter_woo_products' function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Royal Elementor Addons
CVE-2025-1441
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13443 - Easypromos Plugin
The Easypromos Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Easypromos shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easypromos
CVE-2024-13443
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-13508 - Booking Package Plugin
The Booking Package plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the locale parameter in all versions up to, and including, 1.6.72 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Booking Package
CVE-2024-13508
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13743 - Wonderplugin Video Embed
The Wonder Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wonderplugin_video shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wonderplugin Video Embed
CVE-2024-13743
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2025-27013 - MediCenter - Health Medical Clinic WordPress Theme
Missing Authorization vulnerability in EPC MediCenter - Health Medical Clinic WordPress Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MediCenter - Health Medical Clinic WordPress Theme: from n/a through n/a.
THEME
MediCenter - Health Medical Clinic WordPress Theme
CVE-2025-27013
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13689 - Uncode Core Plugin
The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Uncode Core
CVE-2024-13689
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13691 - Uncode Plugin
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server.
PLUGIN
Uncode
CVE-2024-13691
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13667 - Uncode Plugin
The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Uncode
CVE-2024-13667
Risk Score