Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-21
CVE-2024-11808 - Pingmeter Uptime Monitoring Plugin
The Pingmeter Uptime Monitoring plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_wpnonce' parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pingmeter Uptime Monitoring
CVE-2024-11808
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-10797 - Full Screen Menu For Elementor Plugin
The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to.
PLUGIN
Full Screen Menu For Elementor
CVE-2024-10797
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12635 - Wp Docs Plugin
The WP Docs plugin for WordPress is vulnerable to time-based SQL Injection via the 'dir_id' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability was partially patched in version 2.2.0.
PLUGIN
Wp Docs
CVE-2024-12635
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-12697 - Real Kit Plugin
The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Real Kit
CVE-2024-12697
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12262 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'step' parameter in all versions up to, and including, 5.8001 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Ebook Store
CVE-2024-12262
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11938 - Woo One Click Upsell Funnel Plugin
The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wps_wocuf_pro_yes shortcode in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user…
PLUGIN
Woo One Click Upsell Funnel
CVE-2024-11938
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11975 - Reactflow Session Replay Heatmap Plugin
The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.10. This is due to missing or incorrect nonce validation affecting the _wpnonce parameter. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Reactflow Session Replay Heatmap
CVE-2024-11975
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11682 - Gwebpro Store Locator Plugin
The G Web Pro Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gwebpro Store Locator
CVE-2024-11682
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-11287 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Ebook Store
CVE-2024-11287
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11196 - Multi Column Tag Map Plugin
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mctagmap shortcode in all versions up to, and including, 17.0.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Multi Column Tag Map
CVE-2024-11196
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11607 - Gtpayment Donations Plugin
The GTPayment Donations WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Gtpayment Donations
CVE-2024-11607
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11811 - Web Push Notifications Plugin
The Feedify – Web Push Notifications plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'platform', 'phone', 'email', and 'store_url' parameters. in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Web Push Notifications
CVE-2024-11811
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-12509 - Embed Twine Plugin
The Embed Twine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embed_twine' shortcode in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embed Twine
CVE-2024-12509
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-9619 - Wp Shapes Plugin
The WP SHAPES plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wp Shapes
CVE-2024-9619
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-9503 - Maintenance Coming Soon Redirect Animation Plugin
The Maintenance & Coming Soon Redirect Animation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wploti_add_whitelisted_roles_option', 'wploti_remove_whitelisted_roles_option', 'wploti_add_whitelisted_users_option', 'wploti_remove_whitelisted_users_option', and 'wploti_uploaded_animation_save_option' functions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify certain plugin settings.
PLUGIN
Maintenance Coming Soon Redirect Animation
CVE-2024-9503
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-12506 - Nacc Plugin
The NACC WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nacc
CVE-2024-12506
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11893 - Chat Buttons And Woocommerce Notifications Plugin
The Spoki – Chat Buttons and WooCommerce Notifications plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spoki_button' shortcode in all versions up to, and including, 2.15.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chat Buttons And Woocommerce Notifications
CVE-2024-11893
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11878 - Category Post Slider Plugin
The Category Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'category-post-slider' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Category Post Slider
CVE-2024-11878
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11784 - Ticketsource Events Plugin
The Sell Tickets Online – TicketSource Ticket Shop for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticketshop' shortcode in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ticketsource Events
CVE-2024-11784
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11812 - Wtyczka Seopilot Dla Wp Plugin
The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the SeoPilot_Admin_Options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wtyczka Seopilot Dla Wp
CVE-2024-11812
Risk Score