Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-17
CVE-2024-10854 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buy_one_click_import_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import plugin settings.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10854
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10853 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the removeorder AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete Buy one click WooCommerce orders.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10853
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10852 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the buy_one_click_export_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export plugin settings.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10852
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-10717 - Styler For Ninja Forms Plugin
The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be…
PLUGIN
Styler For Ninja Forms
CVE-2024-10717
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10850 - Razorpay Payment Button Plugin
The Razorpay Payment Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Razorpay Payment Button
CVE-2024-10850
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10778 - Buddybuilder Plugin
The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts crated by Elementor that they should not have access to.
PLUGIN
Buddybuilder
CVE-2024-10778
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10577 - Fat Rat Collect Plugin
The 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing escaping on a URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Fat Rat Collect
CVE-2024-10577
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10038 - Wp Strava Plugin
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp Strava
CVE-2024-10038
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10323 - Jetwidgets For Elementor Plugin
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Jetwidgets For Elementor
CVE-2024-10323
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10179 - Slick Engagement Plugin
The Slickstream: Engagement and Conversions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slick-grid shortcode in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slick Engagement
CVE-2024-10179
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-9357 - Xili Tidy Tags Plugin
The xili-tidy-tags plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.12.04 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xili Tidy Tags
CVE-2024-9357
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9836 - Rss Feed Widget Plugin
The RSS Feed Widget WordPress plugin before 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Rss Feed Widget
CVE-2024-9836
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9835 - Rss Feed Widget Plugin
The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Rss Feed Widget
CVE-2024-9835
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10790 - Admin Site Enhancements Plugin
The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This feature must be enabled, and for specific roles in order to be exploitable.
PLUGIN
Admin Site Enhancements
CVE-2024-10790
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10685 - Contact Form 7 Redirect Thank You Page Plugin
The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form 7 Redirect Thank You Page
CVE-2024-10685
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10695 - Futurio Extra Plugin
The Futurio Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.0.13 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to.
PLUGIN
Futurio Extra
CVE-2024-10695
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10538 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-10538
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10265 - Form Maker Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Form Maker
CVE-2024-10265
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10837 - Customize My Account For Woocommerce Plugin
The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 2.7.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Customize My Account For Woocommerce
CVE-2024-10837
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-10352 - Magical Addons For Elementor Plugin
The Magical Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the get_content_type function in includes/widgets/content-reveal.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Magical Addons For Elementor
CVE-2024-10352
Risk Score