Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-10
CVE-2024-8433 - Themehunk Megamenu Plus Plugin
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this was partially fixed in 1.1.0 due to the missing authorization protection that was added.
PLUGIN
Themehunk Megamenu Plus
CVE-2024-8433
Risk Score
Threat Entry
Updated 2024-10-10
CVE-2024-8629 - Multicurrency With Wpml Plugin
The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.3.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Multicurrency With Wpml
CVE-2024-8629
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2024-8964 - Sirv Plugin
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Sirv
CVE-2024-8964
Risk Score
Threat Entry
Updated 2024-10-10
CVE-2024-9292 - Bridge Core Plugin
The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bridge Core
CVE-2024-9292
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-9021 - In The Process Of Testing The Relevanssi Plugin
In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor
PLUGIN
In The Process Of Testing The Relevanssi
CVE-2024-9021
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2024-8983 - Custom Twitter Feeds Plugin
Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Custom Twitter Feeds
CVE-2024-8983
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-47368 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.33.
CORE
WordPress Core
CVE-2024-47368
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-47647 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HelpieWP Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin allows Stored XSS.This issue affects Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin: from n/a through 1.27.
CORE
WordPress Core
CVE-2024-47647
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9161 - Seo Plugin
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated attackers to insert new and update existing metadata beginning with 'rank_math', and delete arbitrary existing user metadata and term metadata. Deleting existing usermeta can cause a loss of access to the administrator dashboard for any registered users, including Administrators.
PLUGIN
Seo
CVE-2024-9161
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-9417 - Hash Form Plugin
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting.
PLUGIN
Hash Form
CVE-2024-9417
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2024-8486 - Shortcodes And Extra Features For Phlox Theme
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Shortcodes And Extra Features For Phlox Theme
CVE-2024-8486
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8743 - Open Source File Manager And Code Editor For Wordpress Plugin
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.
PLUGIN
Open Source File Manager And Code Editor For Wordpress
CVE-2024-8743
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-9528 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to edit forms (administrator by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-9528
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9455 - Wp Cleanup And Basic Functions Plugin
The WP Cleanup and Basic Functions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wp Cleanup And Basic Functions
CVE-2024-9455
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-9385 - Builder Plugin
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Builder
CVE-2024-9385
Risk Score
Threat Entry
Updated 2026-02-17
CVE-2024-8499 - Checkout Field Editor For Woocommerce Plugin
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘render_review_request_notice’ function in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Checkout Field Editor For Woocommerce
CVE-2024-8499
Risk Score
Threat Entry
Updated 2024-10-08
CVE-2024-9271 - Rewp Plugin
The Re:WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Rewp
CVE-2024-9271
Risk Score
Threat Entry
Updated 2024-10-08
CVE-2024-9071 - Easy Demo Importer Plugin
The Easy Demo Importer – A Modern One-Click Demo Import Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Easy Demo Importer
CVE-2024-9071
Risk Score
Threat Entry
Updated 2024-10-08
CVE-2024-9435 - Shiftcontroller Plugin
The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Shiftcontroller
CVE-2024-9435
Risk Score
Threat Entry
Updated 2024-10-08
CVE-2024-9306 - Wp Booking Calendar Plugin
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. In addition, site administrators have the option to grant lower-level users with access to manage the plugin's…
PLUGIN
Wp Booking Calendar
CVE-2024-9306
Risk Score