Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-20
CVE-2024-11806 - Pkt1 Centro De Envios Plugin
The PKT1 Centro de envios plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'success' and 'error' parameters in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pkt1 Centro De Envios
CVE-2024-11806
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11783 - Finance Calculator With Application Form Plugin
The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'finance_calculator' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Finance Calculator With Application Form
CVE-2024-11783
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11775 - Particle Background Plugin
The Particle Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'particleground' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Particle Background
CVE-2024-11775
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11774 - Outdooractive Embed Plugin
The Outdooractive Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list2go' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Outdooractive Embed
CVE-2024-11774
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11411 - Spotlightr Plugin
The Spotlightr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotlightr-v' shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spotlightr
CVE-2024-11411
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11331 - Isee Products Extractor Plugin
The استخراج محصولات ووکامرس برای آیسی plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Isee Products Extractor
CVE-2024-11331
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-11297 - Page Restriction Plugin
The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
PLUGIN
Page Restriction
CVE-2024-11297
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-8968 - Wordpress Button Plugin Maxbuttons
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wordpress Button Plugin Maxbuttons
CVE-2024-8968
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11108 - Serious Slider Plugin
The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Serious Slider
CVE-2024-11108
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2024-10706 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Download Manager
CVE-2024-10706
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10555 - Wordpress Button Plugin Maxbuttons
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wordpress Button Plugin Maxbuttons
CVE-2024-10555
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11776 - Pcrecruiter Extensions Plugin
The PCRecruiter Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PCRecruiter' shortcode in all versions up to, and including, 1.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pcrecruiter Extensions
CVE-2024-11776
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12331 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_install_plugin' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Filebird plugin.
PLUGIN
Filester
CVE-2024-12331
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12560 - Button Block Plugin
The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts.
PLUGIN
Button Block
CVE-2024-12560
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-11768 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to unauthorized download of password-protected content due to improper password validation on the checkFilePassword function in all versions up to, and including, 3.3.03. This makes it possible for unauthenticated attackers to download password-protected files.
PLUGIN
Download Manager
CVE-2024-11768
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10548 - Wp Project Manager Plugin
The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.15 via the Project Task List ('/wp-json/pm/v2/projects/1/task-lists') REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the hashed passwords of project owners (e.g. adminstrators).
PLUGIN
Wp Project Manager
CVE-2024-10548
Risk Score
Threat Entry
Updated 2024-12-19
CVE-2024-12121 - Finder Plugin
The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Finder
CVE-2024-12121
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-11926 - Travel Booking Wordpress Theme
The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_item', '_st_partner_approve_booking', 'save_order_item', and '__userDenyEachInfo' functions in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify posts, delete posts and pages, approve arbitrary orders, insert orders with arbitrary prices, and deny user information.
THEME
Travel Booking Wordpress Theme
CVE-2024-11926
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11291 - Membership Content Restriction Paid Member Subscriptions Plugin
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.
PLUGIN
Membership Content Restriction Paid Member Subscriptions
CVE-2024-11291
Risk Score
Threat Entry
Updated 2024-12-18
CVE-2024-12454 - Slicewp Affiliates Plugin
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Slicewp Affiliates
CVE-2024-12454
Risk Score