Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-18
CVE-2024-13392 - Star Ratings Plugin
The Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_reviews' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Star Ratings
CVE-2024-13392
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2025-0369 - Jetengine Plugin
The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetengine
CVE-2025-0369
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13433 - Utilities For Mtg Plugin
The Utilities for MTG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mtglink' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Utilities For Mtg
CVE-2024-13433
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13519 - Ultimate Woocommerce Multivendor Marketplace Solution Plugin
The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.9.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Ultimate Woocommerce Multivendor Marketplace Solution
CVE-2024-13519
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-13517 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-13517
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2025-0515 - Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme
The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service…
THEME
Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme
CVE-2025-0515
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13393 - Turnkey Video Site Builder Script Plugin
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_videos' shortcode in all versions up to, and including, 2.6.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Turnkey Video Site Builder Script
CVE-2024-13393
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13391 - Tokens Wallet Plugin
The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_content_upload_guest' shortcode in all versions up to, and including, 2.9.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tokens Wallet
CVE-2024-13391
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13385 - Jsm Screenshot Machine Shortcode Plugin
The JSM Screenshot Machine Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ssm' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jsm Screenshot Machine Shortcode
CVE-2024-13385
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-12696 - Picture Gallery Plugin
The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videowhisper_picture_upload_guest shortcode in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Picture Gallery
CVE-2024-12696
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13432 - Webcamconsult Plugin
The Webcamconsult plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Webcamconsult
CVE-2024-13432
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13317 - Shipworks Connector For Woocommerce Plugin
The ShipWorks Connector for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to missing or incorrect nonce validation on the 'shipworks-wordpress' page. This makes it possible for unauthenticated attackers to update the services username and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Shipworks Connector For Woocommerce
CVE-2024-13317
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-12385 - Wp Abstracts Plugin
The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing nonce validation on the wpabstracts_load_status() and wpabstracts_delete_abstracts() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Abstracts
CVE-2024-12385
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2025-0318 - Ultimate Member Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table.
PLUGIN
Ultimate Member
CVE-2025-0318
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-0554 - Podlove Podcast Publisher Plugin
The Podlove Podcast Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Feed Name value in version
PLUGIN
Podlove Podcast Publisher
CVE-2025-0554
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13516 - Kubio Ai Page Builder Plugin
The Kubio AI Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Kubio Ai Page Builder
CVE-2024-13516
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-9020 - List Category Posts Plugin
The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
List Category Posts
CVE-2024-9020
Risk Score
Threat Entry
Updated 2025-01-18
CVE-2024-13515 - Show Image Credits And Captions Plugin
The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'path' parameter in all versions up to, and including, 2.28.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Show Image Credits And Captions
CVE-2024-13515
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-12071 - Evergreen Content Poster Plugin
The Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_network_post() function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to delete arbitrary posts and pages.
PLUGIN
Evergreen Content Poster
CVE-2024-12071
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-13378 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.
PLUGIN
Gravity Forms
CVE-2024-13378
Risk Score