Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-11440 - Grey Owl Lightbox Plugin
The Grey Owl Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gol_button' shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Grey Owl Lightbox
CVE-2024-11440
Risk Score
Threat Entry
Updated 2025-04-14
CVE-2024-11447 - Peepso Core Plugin
The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Peepso Core
CVE-2024-11447
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11438 - Streamweasels Online Status Bar Plugin
The StreamWeasels Online Status Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sw-status-bar' shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Streamweasels Online Status Bar
CVE-2024-11438
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11432 - Suevafree Essential Kit Plugin
The SuevaFree Essential Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'counter' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Suevafree Essential Kit
CVE-2024-11432
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11435 - Salavat Counter Plugin
The salavat counter Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Salavat Counter
CVE-2024-11435
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11428 - Lazy Load Videos And Sticky Control Plugin
The Lazy load videos and sticky control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lazy-load-videos-and-sticky-control' shortcode in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lazy Load Videos And Sticky Control
CVE-2024-11428
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11424 - Slick Sitemap Plugin
The Slick Sitemap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slick-sitemap' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slick Sitemap
CVE-2024-11424
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11416 - Wip Incoming Lite Plugin
The WIP Incoming Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the save_option() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wip Incoming Lite
CVE-2024-11416
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11414 - Recipepress Reloaded Plugin
The RecipePress Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Recipe Ingredients in all versions up to, and including, 2.12.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recipepress Reloaded
CVE-2024-11414
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11412 - Shine Pdf Plugin
The Shine PDF Embeder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shinepdf' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shine Pdf
CVE-2024-11412
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11388 - Dino Game Plugin
The Dino Game – Embed Google Chrome Dinosaur Game in WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dino-game' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dino Game
CVE-2024-11388
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11385 - Pure Css Circle Progress Bar Plugin
The Pure CSS Circle Progress bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'circle_progress' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pure Css Circle Progress Bar
CVE-2024-11385
Risk Score
Threat Entry
Updated 2024-12-16
CVE-2024-11371 - Theater For Wordpress Plugin
The Theater for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.18.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Theater For Wordpress
CVE-2024-11371
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11370 - Subaccounts For Woocommerce Plugin
The Subaccounts for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Subaccounts For Woocommerce
CVE-2024-11370
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11365 - Crypto And Defi Widgets Plugin
The Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Crypto And Defi Widgets
CVE-2024-11365
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11360 - Page Parts Plugin
The Page Parts plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Page Parts
CVE-2024-11360
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11354 - Ultimate Youtube Video Shorts Player With Vimeo Plugin
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the del_ytsingvid() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete single playlists.
PLUGIN
Ultimate Youtube Video Shorts Player With Vimeo
CVE-2024-11354
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11334 - My Contador Lesr Plugin
The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.
PLUGIN
My Contador Lesr
CVE-2024-11334
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11197 - Lock User Account Plugin
The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.
PLUGIN
Lock User Account
CVE-2024-11197
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10890 - Classifieds Plugin
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Classifieds
CVE-2024-10890
Risk Score