Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-18
CVE-2024-12415 - Infographic And List Builder Ilist Plugin
The The AI Infographic Maker plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.9.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Infographic And List Builder Ilist
CVE-2024-12415
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13662 - Ehive Objects Image Grid Plugin
The eHive Objects Image Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ehive_objects_image_grid' shortcode in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ehive Objects Image Grid
CVE-2024-13662
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2024-12267 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated attackers to delete limited arbitrary files on the server. It is not possible to delete files like wp-config.php that would make RCE possible.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2024-12267
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-12037 - Changeset Plugin
The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bf_new_submission_link' shortcode in all versions up to, and including, 2.8.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Changeset
CVE-2024-12037
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13566 - Wp Datatable Plugin
The WP DataTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 0.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Datatable
CVE-2024-13566
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13157 - Mp3 Music Player By Sonaar Plugin
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Podcast RSS Feed in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mp3 Music Player By Sonaar
CVE-2024-13157
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13530 - Login Page Styler Plugin
The Custom Login Page Styler – Limit Login Attempts – Restrict Content With Login – Redirect After Login – Change Login URL – Sign in , Sign out plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the lps_handle_delete_all_logs(), lps_handle_delete_login_log(), and lps_handle_end_session() functions in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete login logs and end user sessions.
PLUGIN
Login Page Styler
CVE-2024-13530
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13623 - Order Export And More For Woocommerce Plugin
The Order Export for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.24 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain exported order information. The plugin is only vulnerable when 'Order data storage' is set to 'WordPress posts storage (legacy)', and cannot be exploited when the default option of 'High-performance order storage' is enabled.
PLUGIN
Order Export And More For Woocommerce
CVE-2024-13623
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13226 - A5 Custom Login Page Plugin
The A5 Custom Login Page WordPress plugin through 2.8.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
A5 Custom Login Page
CVE-2024-13226
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13225 - Ect Home Page Products Plugin
The ECT Home Page Products WordPress plugin through 1.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Ect Home Page Products
CVE-2024-13225
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13224 - Slidedeck 1 Lite Content Slider Plugin
The SlideDeck 1 Lite Content Slider WordPress plugin through 1.4.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Slidedeck 1 Lite Content Slider
CVE-2024-13224
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13717 - Lead Capturing Call To Actions By Vcita Plugin
The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae and vcita_ajax_toggle_contact functions in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to enabled and disable widgets.
PLUGIN
Lead Capturing Call To Actions By Vcita
CVE-2024-13717
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13424 - Ni Woo Sales Commission Plugin
The Ni Sales Commission For WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'niwoosc_ajax' AJAX endpoint in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and modify commission amounts.
PLUGIN
Ni Woo Sales Commission
CVE-2024-13424
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13415 - Tlp Food Menu Plugin
The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.
PLUGIN
Tlp Food Menu
CVE-2024-13415
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13223 - Tabulate Plugin
The Tabulate WordPress plugin through 2.10.3 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Tabulate
CVE-2024-13223
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13222 - User Messages Plugin
The User Messages WordPress plugin through 1.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
User Messages
CVE-2024-13222
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13221 - Fantastic Elasticsearch Plugin
The Fantastic ElasticSearch WordPress plugin through 4.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Fantastic Elasticsearch
CVE-2024-13221
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13220 - Google Map Professional Plugin
The WordPress Google Map Professional (Map In Your Language) WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Google Map Professional
CVE-2024-13220
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-13219 - Privacy Policy Genius Plugin
The Privacy Policy Genius WordPress plugin through 2.0.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Privacy Policy Genius
CVE-2024-13219
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13218 - Fast Tube Plugin
The Fast Tube WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Fast Tube
CVE-2024-13218
Risk Score