Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-20
CVE-2024-9872 - Online Booking Scheduling Calendar Plugin
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_save_user_data_callback() function in all versions up to, and including, 4.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts and update settings.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-9872
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12060 - Wp Media Optimizer Webp Plugin
The WP Media Optimizer (.webp) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpmowebp-css-resources’ and 'wpmowebp-js-resources' parameters in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Media Optimizer Webp
CVE-2024-12060
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-9866 - Event Tickets With Ticket Scanner Plugin
The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameters in all versions up to, and including, 2.4.4 due to insufficient input sanitization and output escaping and missing authorization on the functionality to manage tickets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This missing authorization aspect of this was patched in 2.4.1, while the Cross-Site Scripting was fully patched…
PLUGIN
Event Tickets With Ticket Scanner
CVE-2024-9866
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-9706 - Ultimate Coming Soon Plugin
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ucsm_activate_lite_template_lite function in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to change the template used for the coming soon / maintenance page.
PLUGIN
Ultimate Coming Soon
CVE-2024-9706
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12110 - Gold Addons For Elementor Plugin
The Gold Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate() and deactivate() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate and deactivate licenses.
PLUGIN
Gold Addons For Elementor
CVE-2024-12110
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-9705 - Ultimate Coming Soon Plugin
The Ultimate Coming Soon & Maintenance plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ucsm_update_template_name_lite' function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the name of the plugin's templates.
PLUGIN
Ultimate Coming Soon
CVE-2024-9705
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11450 - Onlyoffice Docs Plugin
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Onlyoffice Docs
CVE-2024-11450
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12003 - Wp System Plugin
The WP System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the generate_wp_system_page_content() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp System
CVE-2024-12003
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11823 - Folder Gallery Plugin
The Folder Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'foldergallery' shortcode in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Folder Gallery
CVE-2024-11823
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11687 - Next Cart Store To Woocommerce Migration Plugin
The Next-Cart Store to WooCommerce Migration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Next Cart Store To Woocommerce Migration
CVE-2024-11687
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12028 - Friends Plugin
The Friends plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several REST API endpoints in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to send arbitrary friend requests on behalf of another website, accept the friend request for the targeted website, and then communicate with the site as an accepted friend.
PLUGIN
Friends
CVE-2024-12028
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-12027 - Cf7 Message Filter Plugin
The Message Filter for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateFilter() and deleteFilter() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update and delete filters.
PLUGIN
Cf7 Message Filter
CVE-2024-12027
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11352 - Twentytwenty Plugin
The TwentyTwenty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twentytwenty' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Twentytwenty
CVE-2024-11352
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11339 - Smart Popup Blaster Plugin
The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smart Popup Blaster
CVE-2024-11339
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11368 - Splash Connector Plugin
The Splash Sync plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Splash Connector
CVE-2024-11368
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11336 - Clickbank Storefront Plugin
The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the cs_menu page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Clickbank Storefront
CVE-2024-11336
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11444 - Cluevo Lms Plugin
The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.13.2. This is due to missing or incorrect nonce validation on the cluevo_render_module_ui() function. This makes it possible for unauthenticated attackers to delete modules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Cluevo Lms
CVE-2024-11444
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10849 - Newsmash Theme
The NewsMash theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.71 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Newsmash
CVE-2024-10849
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11276 - Packing Slips And More Plugin
The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.2.136 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Packing Slips And More
CVE-2024-11276
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-11204 - Forumwp Plugin
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Forumwp
CVE-2024-11204
Risk Score