Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-16
CVE-2024-10789 - Wp User Profile Avatar Plugin
The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupa_user_admin() function. This makes it possible for unauthenticated attackers to update the plugins setting which controls access to the functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp User Profile Avatar
CVE-2024-10789
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2025-0170 - DWT - Directory & Listing WordPress Theme
The DWT - Directory & Listing WordPress Theme is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping on the 'sort_by' and 'token' parameters. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
DWT - Directory & Listing WordPress Theme
CVE-2025-0170
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2024-10970 - Motors Car Dealer Classifieds Listing Plugin
The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2024-10970
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2025-0215 - UpdraftPlus: WP Backup & Migration Plugin
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the showdata and initiate_restore parameters in all versions up to, and including, 1.24.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.
PLUGIN
UpdraftPlus: WP Backup & Migration Plugin
CVE-2025-0215
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2025-22762 - WordPress HelpDesk & Support Ticket System Plugin – Octrace Support
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace Studio WordPress HelpDesk & Support Ticket System Plugin – Octrace Support allows Stored XSS.This issue affects WordPress HelpDesk & Support Ticket System Plugin – Octrace Support: from n/a through 1.2.7.
PLUGIN
WordPress HelpDesk & Support Ticket System Plugin – Octrace Support
CVE-2025-22762
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-13215 - Elementor Addon Elements Plugin
The Elementor Addon Elements plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.13.10 via the 'render' function in modules/modal-popup/widgets/modal-popup.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
PLUGIN
Elementor Addon Elements
CVE-2024-13215
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-12593 - Pdf For Wpforms Plugin
The PDF for WPForms + Drag and Drop Template Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yeepdf_dotab shortcode in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pdf For Wpforms
CVE-2024-12593
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-11851 - Nitropack Plugin
The NitroPack plugin for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the nitropack_rml_notification function in all versions up to, and including, 1.17.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to integers and not arbitrary values.
PLUGIN
Nitropack
CVE-2024-11851
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-12818 - Wp Smart Tv Plugin
The WP Smart TV plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tv-video-player' shortcode in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Smart Tv
CVE-2024-12818
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-12423 - Cf7 Redirect Thank You Page Plugin
The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cf7 Redirect Thank You Page
CVE-2024-12423
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-12403 - Awesome Responsive Photo Gallery Plugin
The Image Gallery – Responsive Photo Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'awsmgallery' parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Awesome Responsive Photo Gallery
CVE-2024-12403
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-10775 - Piotnet Addons For Elementor Plugin
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.4.32 via the 'pafe-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
PLUGIN
Piotnet Addons For Elementor
CVE-2024-10775
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-11870 - Event Registration Calendar By Vcita Plugin
The Event Registration Calendar By vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Event Registration Calendar By Vcita
CVE-2024-11870
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-13394 - Viewmedica 9 Plugin
The ViewMedica 9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewmedica' shortcode in all versions up to, and including, 1.4.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Viewmedica 9
CVE-2024-13394
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-13334 - Car Demon Plugin
The Car Demon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_condition' parameter in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Car Demon
CVE-2024-13334
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-12240 - Page Builder Plugin
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the row label parameter in all versions up to, and including, 2.31.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Page Builder
CVE-2024-12240
Risk Score
Threat Entry
Updated 2025-03-03
CVE-2025-0393 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1006. This is due to missing or incorrect nonce validation on the wpr_filter_grid_posts() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Royal Elementor Addons
CVE-2025-0393
Risk Score
Threat Entry
Updated 2025-01-14
CVE-2024-13156 - Html5 Video Player Plugin
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘heading’ parameter in all versions up to, and including, 2.5.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Html5 Video Player
CVE-2024-13156
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-12008 - W3 Total Cache Plugin
The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks. Note: the debug feature must be enabled for this to be a concern, and it is disabled by default.
PLUGIN
W3 Total Cache
CVE-2024-12008
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-12006 - W3 Total Cache Plugin
The W3 Total Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 2.8.1. This makes it possible for unauthenticated attackers to deactivate the plugin as well as activate and deactivate plugin extensions.
PLUGIN
W3 Total Cache
CVE-2024-12006
Risk Score