Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-28
CVE-2024-9454 - Pripre Plugin
The PriPre plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Pripre
CVE-2024-9454
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9613 - Formfacade Plugin
The FormFacade – WordPress plugin for Google Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'userId' and 'publishId' parameters in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Formfacade
CVE-2024-9613
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9462 - Poll Maker Plugin
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Stored Cross-Site Scripting via poll settings in all versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Poll Maker
CVE-2024-9462
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9475 - Poll Maker Plugin
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to generic SQL Injection via the order_by parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Poll Maker
CVE-2024-9475
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-10091 - Elements Kit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Comparison Widget in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elements Kit Elementor Addons
CVE-2024-10091
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-9585 - Image Map Pro Plugin
The Image Map Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'save_project' function with an arbitrary shortcode in versions up to, and including, 6.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Image Map Pro
CVE-2024-9585
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-9584 - Image Map Pro Plugin
The Image Map Pro plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the AJAX functions in versions up to, and including, 6.0.20. This makes it possible for authenticated attackers with contributor-level privileges or above, to add, update or delete map projects.
PLUGIN
Image Map Pro
CVE-2024-9584
Risk Score
Threat Entry
Updated 2024-10-31
CVE-2024-10374 - Wp Members Plugin
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Members
CVE-2024-10374
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-8666 - Shoutcast Icecast Html5 Radio Player Plugin
The Shoutcast Icecast HTML5 Radio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'html5radio' shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shoutcast Icecast Html5 Radio Player
CVE-2024-8666
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10343 - Beek Widget Extention Plugin
The Beek Widget Extention plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beek Widget Extention
CVE-2024-10343
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10112 - Simple News Plugin
The Simple News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'news' shortcode in all versions up to, and including, 2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple News
CVE-2024-10112
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10016 - File Upload Types Plugin
The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
File Upload Types
CVE-2024-10016
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2024-9628 - Wps Telegram Chat Plugin
The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.
PLUGIN
Wps Telegram Chat
CVE-2024-9628
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-9630 - Wps Telegram Chat Plugin
The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the messages that are sent through the Telegram Bot API.
PLUGIN
Wps Telegram Chat
CVE-2024-9630
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-10341 - League Of Legends Shortcodes Plugin
The League of Legends Shortcodes plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
League Of Legends Shortcodes
CVE-2024-10341
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-10342 - League Of Legends Shortcodes Plugin
The League of Legends Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
League Of Legends Shortcodes
CVE-2024-10342
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-10150 - Button Generator Plugin
The Bamazoo – Button Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's dgs shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Button Generator
CVE-2024-10150
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-9607 - 10web Social Post Feed Plugin
The 10Web Social Post Feed plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the leave a review notice is present.
PLUGIN
10web Social Post Feed
CVE-2024-9607
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-10148 - Awesome Buttons Plugin
The Awesome buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn2 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Awesome Buttons
CVE-2024-10148
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9109 - Woocommerce Ups Shipping Plugin
The WooCommerce UPS Shipping – Live Rates and Access Points plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_oauth_data function in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's API key.
PLUGIN
Woocommerce Ups Shipping
CVE-2024-9109
Risk Score