Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-15
CVE-2024-9616 - Block Pattern Builder Plugin
The BlockMeister – Block Pattern Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Block Pattern Builder
CVE-2024-9616
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9611 - Increase Upload File Size Maximum Execution Time Limit Plugin
The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Increase Upload File Size Maximum Execution Time Limit
CVE-2024-9611
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9610 - Language Switcher Plugin
The Language Switcher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.7.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Language Switcher
CVE-2024-9610
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9587 - Linkz Ai Plugin
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes it possible for authenticated attackers with contributor-level privileges or above, to update plugin settings.
PLUGIN
Linkz Ai
CVE-2024-9587
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9586 - Linkz Ai Plugin
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_auth' and 'check_logout' functions in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Linkz Ai
CVE-2024-9586
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9543 - Powerpress Podcasting Plugin By Blubrry
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpress Podcasting Plugin By Blubrry
CVE-2024-9543
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9507 - Bit Form Plugin
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.15.2 due to improper input validation within the iconUpload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to leverage a PHP filter chain attack and read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bit Form
CVE-2024-9507
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2024-9538 - Shoplentor Plugin
The ShopLentor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.8 via the 'render' function in includes/addons/wl_faq.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
Shoplentor
CVE-2024-9538
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9436 - Approve And Schedule Content Changes Plugin
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.5.14. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Approve And Schedule Content Changes
CVE-2024-9436
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9346 - Video Embed Privacy Plugin
The Embed videos and respect privacy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'v' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Video Embed Privacy
CVE-2024-9346
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9232 - Download Plugins And Themes In Zip From Dashboard
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Download Plugins And Themes In Zip From Dashboard
CVE-2024-9232
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-9221 - Tainacan Plugin
The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.21.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Tainacan
CVE-2024-9221
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9051 - Wp Ultimate Post Grid Plugin
The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Ultimate Post Grid
CVE-2024-9051
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9211 - Full Customer Plugin
The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.22. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Full Customer
CVE-2024-9211
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-8913 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.11 via the render function in modules/widgets/tp_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Plus Addons For Elementor
CVE-2024-8913
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-7514 - Comments Import Export Woocommerce Plugin
The WordPress Comments Import & Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The issue was partially fixed in version 2.3.8 and fully fixed in 2.3.9
PLUGIN
Comments Import Export Woocommerce
CVE-2024-7514
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9520 - Userplus Plugin
The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.0. This makes it possible for authenticated attackers with subscriber-level permissions or above, to add, modify, or delete user meta and plugin options.
PLUGIN
Userplus
CVE-2024-9520
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9074 - Advanced Blocks Pro Plugin
The Advanced Blocks Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Advanced Blocks Pro
CVE-2024-9074
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9067 - Youzify Plugin
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'delete_attachment' function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments.
PLUGIN
Youzify
CVE-2024-9067
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-8477 - Newsletter Smtp Email Marketing And Subscribe Plugin
The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Newsletter Smtp Email Marketing And Subscribe
CVE-2024-8477
Risk Score