Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-24
CVE-2024-13447 - Wp Hotel Booking Plugin
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a list of registered user emails.
PLUGIN
Wp Hotel Booking
CVE-2024-13447
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13361 - Aipower Plugin
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.
PLUGIN
Aipower
CVE-2024-13361
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13319 - Themify Builder Plugin
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Themify Builder
CVE-2024-13319
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13360 - Aipower Plugin
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Aipower
CVE-2024-13360
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13406 - Xml For Google Merchant Center Plugin
The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xml For Google Merchant Center
CVE-2024-13406
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12117 - Stackable Plugin
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter of the Button block in all versions up to, and including, 3.13.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stackable
CVE-2024-12117
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-12879 - Wpot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all versions up to, and including, 13.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create Simple Text Responses to chat queries.
PLUGIN
Wpot
CVE-2024-12879
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13590 - Ketchup Shortcodes Plugin
The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ketchup Shortcodes
CVE-2024-13590
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13584 - Picture Gallery Plugin
The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up to, and including, 1.5.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Picture Gallery
CVE-2024-13584
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-13426 - Wp Polls Plugin
The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries. Those queries are stored and results are not displayed to the attacker, which means they cannot be exploited to obtain any additional information about the database. However, a properly configured payload allows for the injection…
PLUGIN
Wp Polls
CVE-2024-13426
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-0450 - Betheme
The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Betheme
CVE-2025-0450
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-13444 - Wp Greet Plugin
The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Greet
CVE-2024-13444
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-13230 - Super Socializer Plugin
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Limited SQL Injection via the ‘SuperSocializerKey’ parameter in all versions up to, and including, 7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional values into the already existing query that can be used to extract user metadata from the database.
PLUGIN
Super Socializer
CVE-2024-13230
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-11226 - Facebook Like Send Button Plugin
The FireCask Like & Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Facebook Like Send Button
CVE-2024-11226
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13404 - Link Library Plugin
The Link Library plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'searchll' parameter in all versions up to, and including, 7.7.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Link Library
CVE-2024-13404
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-12005 - Wp Bibtex Plugin
The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the wp_bibtex_option_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Bibtex
CVE-2024-12005
Risk Score
Threat Entry
Updated 2026-02-17
CVE-2024-12104 - Atarim Plugin
The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files.
PLUGIN
Atarim
CVE-2024-12104
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2025-0371 - Jetelements Plugin
The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetelements
CVE-2025-0371
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-13536 - 1003 Mortgage Application Plugin
The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
1003 Mortgage Application
CVE-2024-13536
Risk Score
Threat Entry
Updated 2025-01-19
CVE-2024-8722 - Import Any Xml Or Csv File To Wordpress Pro Plugin
The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Import Any Xml Or Csv File To Wordpress Pro
CVE-2024-8722
Risk Score