Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-30
CVE-2024-9231 - Wp Members Plugin
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Members
CVE-2024-9231
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-10189 - Anchor Episodes Index Plugin
The Anchor Episodes Index (Spotify for Podcasters) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's anchor_episodes shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Anchor Episodes Index
CVE-2024-10189
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9591 - Category And Taxonomy Image Plugin
The Category and Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_category_image' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Image
CVE-2024-9591
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9590 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image meta field value in the 'wpaft_add_meta_textinput' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9590
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9589 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9589
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9588 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'wpaft_option_page' function. This makes it possible for unauthenticated attackers to add and delete taxonomy meta, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9588
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9541 - News Kit Elementor Addons Plugin
The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
News Kit Elementor Addons
CVE-2024-9541
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-8852 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full paths contained in the exposed log files.
PLUGIN
All In One Wp Migration
CVE-2024-8852
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10003 - Rover Idx Plugin
The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options.
PLUGIN
Rover Idx
CVE-2024-10003
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-49627 - Wordpress Image Seo Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Noor Alam WordPress Image SEO allows Cross Site Request Forgery.This issue affects WordPress Image SEO: from n/a through 1.1.4.
PLUGIN
Wordpress Image Seo
CVE-2024-49627
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9897 - Twitch Integration Plugin
The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Twitch Integration
CVE-2024-9897
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9889 - Elementinvader Addons For Elementor Plugin
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.9 via the Page Loader widget. This makes it possible for authenticated attackers, with contributor-level access and above, to view private/draft/password protected posts, pages, and Elementor templates that they should not have access to.
PLUGIN
Elementinvader Addons For Elementor
CVE-2024-9889
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2023-6243 - Eventon Pro Wordpress Virtual Event Calendar Plugin
The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated attackers to send test emails to arbitrary email addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Eventon Pro Wordpress Virtual Event Calendar
CVE-2023-6243
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9219 - Social Share Buttons Plugin
The WordPress Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Social Share Buttons
CVE-2024-9219
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9674 - Debrandify Plugin
The Debrandify · Remove or Replace WordPress Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Debrandify
CVE-2024-9674
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9425 - Advanced Category And Custom Taxonomy Image Plugin
The Advanced Category and Custom Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ad_tax_image shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Category And Custom Taxonomy Image
CVE-2024-9425
Risk Score
Threat Entry
Updated 2024-10-21
CVE-2024-49231 - Wordpress Video Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Peter CyClop WordPress Video allows Stored XSS.This issue affects WordPress Video: from n/a through 1.0.
PLUGIN
Wordpress Video
CVE-2024-49231
Risk Score
Threat Entry
Updated 2024-10-21
CVE-2024-10057 - Rss Feed Widget Plugin
The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rfw-youtube-videos shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rss Feed Widget
CVE-2024-10057
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10080 - Wp Easy Post Types Plugin
The WP Easy Post Types plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Post Types
CVE-2024-10080
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10055 - Click To Chat Plugin
The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaio_snapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Click To Chat
CVE-2024-10055
Risk Score