Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-07
CVE-2024-10785 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-10785
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10792 - Woocommerce By Wpfunnels Plugin
The Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This was partially patched in 3.5.4 and fully patched in 3.5.5.
PLUGIN
Woocommerce By Wpfunnels
CVE-2024-10792
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10796 - If So Dynamic Content Personalization Plugin
The If-So Dynamic Content Personalization plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.2.1 via the 'ifso-show-post' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.
PLUGIN
If So Dynamic Content Personalization
CVE-2024-10796
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10726 - Friendly Functions For Welcart Plugin
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Friendly Functions For Welcart
CVE-2024-10726
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10782 - Theme Builder For Elementor Plugin
The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
PLUGIN
Theme Builder For Elementor
CVE-2024-10782
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10696 - Ultraaddons Elementor Lite Plugin
The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.
PLUGIN
Ultraaddons Elementor Lite
CVE-2024-10696
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10682 - Bulletin Announcements Plugin
The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg and remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bulletin Announcements
CVE-2024-10682
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10675 - Affiliate Toolkit Plugin
The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Affiliate Toolkit
CVE-2024-10675
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10671 - Button Block Plugin
The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.4 via the [btn_block] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Button Block
CVE-2024-10671
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10623 - Forumengine Theme
The ForumEngine theme for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
Forumengine
CVE-2024-10623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10532 - Bard Extra Plugin
The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to import demo data.
PLUGIN
Bard Extra
CVE-2024-10532
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10528 - Ultimate Member Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users.
PLUGIN
Ultimate Member
CVE-2024-10528
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10522 - Co Marquage Service Public Plugin
The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.5.76. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Co Marquage Service Public
CVE-2024-10522
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10482 - Desc For Image Seo Plugin
The Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO WordPress plugin before 1.5.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Desc For Image Seo
CVE-2024-10482
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-10393 - Tutor Lms Plugin
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
PLUGIN
Tutor Lms
CVE-2024-10393
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10177 - Beds24 Online Booking Plugin
The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beds24 Online Booking
CVE-2024-10177
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-10172 - Wpbakery Visual Composer Whmcs Elements Plugin
The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbakery Visual Composer Whmcs Elements
CVE-2024-10172
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10164 - Wpdm Premium Packages Plugin
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdmpp_pay_link shortcode in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpdm Premium Packages
CVE-2024-10164
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10316 - Elementor Widgets Plugin
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.4 in includes/templates/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Elementor Widgets
CVE-2024-10316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11154 - Approve And Schedule Content Changes Plugin
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.
PLUGIN
Approve And Schedule Content Changes
CVE-2024-11154
Risk Score