Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-21
CVE-2024-13783 - Formcraft Plugin
The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions.
PLUGIN
Formcraft
CVE-2024-13783
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13369 - Tour Master Plugin
The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tour Master
CVE-2024-13369
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13395 - Threepress Plugin
The Threepress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'threepress' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Threepress
CVE-2024-13395
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2024-13316 - Scratch Win Plugin
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons.
PLUGIN
Scratch Win
CVE-2024-13316
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13718 - Flexible Wishlist For Woocommerce Plugin
The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Flexible Wishlist For Woocommerce
CVE-2024-13718
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0864 - Active Products Tables For Woocommerce Plugin
The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Active Products Tables For Woocommerce
CVE-2025-0864
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13575 - Web Stories Enhancer Plugin
The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'web_stories_enhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Web Stories Enhancer
CVE-2024-13575
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13465 - Ablocks Plugin
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Table Of Content" Block, specifically in the "markerView" attribute, in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ablocks
CVE-2024-13465
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-11895 - Online Payments Get Paid With Paypal Square Stripe Plugin
The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Online Payments Get Paid With Paypal Square Stripe
CVE-2024-11895
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13795 - Ecwid Ecommerce Shopping Cart Plugin
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ecwid Ecommerce Shopping Cart
CVE-2024-13795
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-11376 - S2member Plugin
The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 241114. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
S2member
CVE-2024-11376
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13523 - Memorialday Plugin
The MemorialDay plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Memorialday
CVE-2024-13523
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13438 - Speedsize Image Video Ai Optimizer Plugin
The SpeedSize Image & Video AI-Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the 'speedsize_clear_css_cache_action' function. This makes it possible for unauthenticated attackers to clear the plugins cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Speedsize Image Video Ai Optimizer
CVE-2024-13438
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0805 - Mortgage Loan Calculator Plugin
The Mortgage Calculator / Loan Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mlcalc' shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mortgage Loan Calculator
CVE-2025-0805
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13848 - Reaction Buttons Plugin
The Reaction Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Reaction Buttons
CVE-2024-13848
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2025-0796 - Wprequal Plugin
The Mortgage Lead Capture System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.2.10. This is due to missing or incorrect nonce validation on the 'wprequal_reset_defaults' action. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wprequal
CVE-2025-0796
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13687 - Team Builder Plugin
The Team Builder – Meet the Team plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_team_builder_options() function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
PLUGIN
Team Builder
CVE-2024-13687
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13609 - 1 Click Migration Plugin
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process.
PLUGIN
1 Click Migration
CVE-2024-13609
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13595 - Simple Signup Form Plugin
The Simple Signup Form plugin for WordPress is vulnerable to SQL Injection via the 'id' attribute of the 'ssf' shortcode in all versions up to, and including, 1.6.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Simple Signup Form
CVE-2024-13595
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13588 - Simplebooklet Plugin
The Simplebooklet PDF Viewer and Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simplebooklet' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simplebooklet
CVE-2024-13588
Risk Score