Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-11
CVE-2024-8735 - Mailmunch Plugin
The MailMunch – Grow your Email List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mailmunch
CVE-2024-8735
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-11381 - Control Horas Plugin
The Control horas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ch_registro' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Control Horas
CVE-2024-11381
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-11225 - Wpdm Premium Packages Plugin
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.9.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wpdm Premium Packages
CVE-2024-11225
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-11355 - Ultimate Youtube Video Player Plugin
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_setting() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view settings for playlists.
PLUGIN
Ultimate Youtube Video Player
CVE-2024-11355
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-10666 - Easy Twitter Feeds Plugin
The Easy Twitter Feed – Twitter feeds plugin for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.6 via the [etf] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Easy Twitter Feeds
CVE-2024-10666
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-10034 - Video Gallery And Lightbox For Native Gallery Plugin
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the gallery link text parameter in all versions up to, and including, 3.2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Video Gallery And Lightbox For Native Gallery
CVE-2024-10034
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2024-11089 - Anonymous Restricted Content Plugin
The Anonymous Restricted Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to logged-in users.
PLUGIN
Anonymous Restricted Content
CVE-2024-11089
Risk Score
Threat Entry
Updated 2025-04-05
CVE-2024-11088 - Simple Membership Plugin
The Simple Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
PLUGIN
Simple Membership
CVE-2024-11088
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-9851 - Lsx Tour Operator Plugin
The LSX Tour Operator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Lsx Tour Operator
CVE-2024-9851
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-9828 - Before 3 Plugin
The Taskbuilder WordPress plugin before 3.0.5 does not sanitize user input into the 'load_orders' parameter and uses it in a SQL statement, allowing high privilege users such as admin to perform SQL Injection attacks
PLUGIN
Before 3
CVE-2024-9828
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-9442 - F4 Improvements Plugin
The F4 Improvements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
F4 Improvements
CVE-2024-9442
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-9768 - Formidable Forms Plugin
The Formidable Forms WordPress plugin before 6.14.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Formidable Forms
CVE-2024-9768
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9600 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.47 does not sanitise and escape some of its settings, which could allow high privilege users such as author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-9600
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-9542 - Sky Addons For Elementor Plugin
The Sky Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the render function in modules/content-switcher/widgets/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
Sky Addons For Elementor
CVE-2024-9542
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-9111 - Product Designer Plugin
The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Product Designer
CVE-2024-9111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-9371 - Branda White Labeling Plugin
The Branda – White Label & Branding, Custom Login Page Customizer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Branda White Labeling
CVE-2024-9371
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-8157 - Alphabetical List Plugin
The Alphabetical List WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Alphabetical List
CVE-2024-8157
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-5029 - Cm Table Of Contents Plugin
The CM Table Of Contents WordPress plugin before 1.2.4 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Cm Table Of Contents
CVE-2024-5029
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11455 - Include Mastodon Feed Plugin
The Include Mastodon Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'include-mastodon-feed' shortcode in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Include Mastodon Feed
CVE-2024-11455
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11456 - And Giveaways With Contestswp Plugin
The Run Contests, Raffles, and Giveaways with ContestsWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
And Giveaways With Contestswp
CVE-2024-11456
Risk Score