Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-29
CVE-2024-8437 - Wp Easy Gallery Plugin
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX like wpeg_settings and wpeg_add_gallery in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify galleries.
PLUGIN
Wp Easy Gallery
CVE-2024-8437
Risk Score
Threat Entry
Updated 2025-08-26
CVE-2024-8267 - Radio Player Plugin
The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute within the 'wp:radio-player' Gutenberg block in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Radio Player
CVE-2024-8267
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8103 - Wp Category Dropdown Plugin
The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Category Dropdown
CVE-2024-8103
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8794 - Ba Book Everything Plugin
The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.
PLUGIN
Ba Book Everything
CVE-2024-8794
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8628 - Mailoptin Plugin
The Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-meta' shortcode in all versions up to, and including, 1.2.70.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mailoptin
CVE-2024-8628
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8738 - Seriously Simple Stats Plugin
The Seriously Simple Stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seriously Simple Stats
CVE-2024-8738
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8716 - Xt Ajax Add To Cart For Woocommerce Plugin
The XT Ajax Add To Cart for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xt Ajax Add To Cart For Woocommerce
CVE-2024-8716
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8662 - Koko Analytics Plugin
The Koko Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.12. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Koko Analytics
CVE-2024-8662
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8657 - Garden Gnome Package Plugin
The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ggpkg shortcode in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Garden Gnome Package
CVE-2024-8657
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8544 - Pixel Cat Plugin
The Pixel Cat – Conversion Pixel Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pixel Cat
CVE-2024-8544
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8432 - Webba Booking Plugin
The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_appearance() function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the booking form's CSS.
PLUGIN
Webba Booking
CVE-2024-8432
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8758 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-8758
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8680 - Mailchimp Plugin
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Mailchimp
CVE-2024-8680
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8364 - Wp Custom Fields Search Plugin
The WP Custom Fields Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpcfs-preset shortcode in all versions up to, and including, 1.2.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Custom Fields Search
CVE-2024-8364
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8850 - Mailchimp Plugin
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mailchimp
CVE-2024-8850
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-6641 - Wp Hardening Plugin
The WP Hardening – Fix Your WordPress Security plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 1.2.6. This is due to use of an incorrect regular expression within the "Stop User Enumeration" feature. This makes it possible for unauthenticated attackers to bypass intended security restrictions and expose site usernames.
PLUGIN
Wp Hardening
CVE-2024-6641
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8093 - Posts Reminder Plugin
The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Posts Reminder
CVE-2024-8093
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8091 - Enhanced Search Box Plugin
The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Enhanced Search Box
CVE-2024-8091
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-8047 - Visual Sound Plugin
The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Visual Sound
CVE-2024-8047
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8044 - Infolinks Ad Wrap Plugin
The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Infolinks Ad Wrap
CVE-2024-8044
Risk Score