Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-10
CVE-2024-8444 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting.
PLUGIN
Download Manager
CVE-2024-8444
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10223 - Ht Team Member Plugin
The WP Team – WordPress Team Member Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's htteamember shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Team Member
CVE-2024-10223
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-8871 - Easy Pricing Tables Plugin
The Pricing Tables WordPress Plugin – Easy Pricing Tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Easy Pricing Tables
CVE-2024-8871
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10399 - Download Monitor Plugin
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.
PLUGIN
Download Monitor
CVE-2024-10399
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9886 - Wp Baidu Map Plugin
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Baidu Map
CVE-2024-9886
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9885 - Widget Or Sidebar Per Shortcode Plugin
The Widget or Sidebar Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sidebar' shortcode in all versions up to, and including, 0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widget Or Sidebar Per Shortcode
CVE-2024-9885
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9884 - T Countdown Plugin
The T(-) Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tminus' shortcode in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
T Countdown
CVE-2024-9884
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-8627 - Ultimate Tinymce Plugin
The Ultimate TinyMCE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'field' shortcode in all versions up to, and including, 5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Tinymce
CVE-2024-8627
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-8792 - Subscribe To Comments Plugin
The Subscribe to Comments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Subscribe To Comments
CVE-2024-8792
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2023-5816 - Code Explorer Plugin
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
PLUGIN
Code Explorer
CVE-2023-5816
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-50459 - Aidwp Plugin
Missing Authorization vulnerability in HM Plugin WordPress Stripe Donation and Payment Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Stripe Donation and Payment Plugin: from n/a through 3.2.3.
PLUGIN
Aidwp
CVE-2024-50459
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-50466 - Advanced Dark Mode Plugin
Cross-Site Request Forgery (CSRF) vulnerability in DarkMySite DarkMySite – Advanced Dark Mode Plugin for WordPress darkmysite allows Cross Site Request Forgery.This issue affects DarkMySite – Advanced Dark Mode Plugin for WordPress: from n/a through 1.2.8.
PLUGIN
Advanced Dark Mode
CVE-2024-50466
Risk Score
Threat Entry
Updated 2024-10-31
CVE-2024-9505 - Beaver Builder Plugin
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beaver Builder
CVE-2024-9505
Risk Score
Threat Entry
Updated 2024-10-31
CVE-2024-10226 - Arconix Shortcodes Plugin
The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 2.1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Arconix Shortcodes
CVE-2024-10226
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-10181 - Newsletters Plugin
The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's newsletters_video shortcode in all versions up to, and including, 4.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newsletters
CVE-2024-10181
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-10266 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video Box widget in all versions up to, and including, 4.10.60 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Premium Addons For Elementor
CVE-2024-10266
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-10233 - Sms Alert Order Notifications Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sa_subscribe shortcode in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sms Alert Order Notifications
CVE-2024-10233
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-10185 - Streamweasels Youtube Integration Plugin
The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-youtube-embed shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Streamweasels Youtube Integration
CVE-2024-10185
Risk Score
Threat Entry
Updated 2025-01-27
CVE-2024-10360 - Move Addons For Elementor Plugin
The Move Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the render function in includes/widgets/accordion/widget.php, includes/widgets/remote-template/widget.php, and other widget.php files. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Move Addons For Elementor
CVE-2024-10360
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-10184 - Streamweasels Kick Integration Plugin
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-kick-embed shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Streamweasels Kick Integration
CVE-2024-10184
Risk Score