Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-24
CVE-2024-12723 - Infility Global Plugin
The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Infility Global
CVE-2024-12723
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-12807 - Social Share Buttons Plugin
The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Social Share Buttons
CVE-2024-12807
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-13117 - Share Buttons Plugin
The Social Share Buttons for WordPress plugin through 2.7 allows an unauthenticated user to upload arbitrary images and change the path where they are uploaded
PLUGIN
Share Buttons
CVE-2024-13117
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-13095 - Wp Triggers Lite Plugin
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Wp Triggers Lite
CVE-2024-13095
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-12774 - Altra Side Menu Plugin
The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack
PLUGIN
Altra Side Menu
CVE-2024-12774
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-12436 - Wp Customer Area Plugin
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Wp Customer Area
CVE-2024-12436
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-12280 - Wp Customer Area Plugin
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack
PLUGIN
Wp Customer Area
CVE-2024-12280
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-12334 - Wc Affiliate Plugin
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wc Affiliate
CVE-2024-12334
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13505 - Survey Maker Plugin
The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5.1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Survey Maker
CVE-2024-13505
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2024-11090 - Restrict Content Plugin
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
PLUGIN
Restrict Content
CVE-2024-11090
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-10705 - Multiple Page Generator Plugin
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.5 via the 'mpg_download_file_by_link' function. This makes it possible for authenticated attackers, with editor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Multiple Page Generator
CVE-2024-10705
Risk Score
Threat Entry
Updated 2025-01-26
CVE-2024-10636 - WordPress Core
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CORE
WordPress Core
CVE-2024-10636
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2025-0350 - Carousel Maker For Divi Plugin
The Divi Carousel Maker – Image, Logo, Testimonial, Post Carousel & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Carousel and Logo Carousel in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Carousel Maker For Divi
CVE-2025-0350
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13449 - Boom Fest Plugin
The Boom Fest plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'bf_admin_action' function in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings that change the appearance of the website.
PLUGIN
Boom Fest
CVE-2024-13449
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13599 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Learnpress
CVE-2024-13599
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13586 - Masy Gallery Plugin
The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Masy Gallery
CVE-2024-13586
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-13551 - Abc Notation Plugin
The ABC Notation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Abc Notation
CVE-2024-13551
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13550 - Abc Notation Plugin
The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Abc Notation
CVE-2024-13550
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13548 - Power Ups For Elementor Plugin
The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Power Ups For Elementor
CVE-2024-13548
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13458 - Notice Faq Plugin
The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Notice Faq
CVE-2024-13458
Risk Score