Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-27
CVE-2024-8054 - Mm Breaking News Plugin
The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Mm Breaking News
CVE-2024-8054
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-7859 - Visual Sound Plugin
The Visual Sound WordPress plugin through 1.03 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Visual Sound
CVE-2024-7859
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7820 - Ilc Thickbox Plugin
The ILC Thickbox WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Ilc Thickbox
CVE-2024-7820
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7817 - Misiek Photo Album Plugin
The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF checks in some places, which could allow attackers to make logged in users delete arbitrary albums via a CSRF attack
PLUGIN
Misiek Photo Album
CVE-2024-7817
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7861 - Misiek Paypal Plugin
The Misiek Paypal WordPress plugin through 1.1.20090324 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Misiek Paypal
CVE-2024-7861
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7860 - Simple Headline Rotator Plugin
The Simple Headline Rotator WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Simple Headline Rotator
CVE-2024-7860
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7822 - Quick Code Plugin
The Quick Code WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Quick Code
CVE-2024-7822
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7818 - Misiek Photo Album Plugin
The Misiek Photo Album WordPress plugin through 1.4.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Misiek Photo Album
CVE-2024-7818
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7816 - Gixaw Chat Plugin
The Gixaw Chat WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Gixaw Chat
CVE-2024-7816
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-6019 - Music Request Manager Plugin
The Music Request Manager WordPress plugin through 1.3 does not sanitise and escape incoming music requests, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators
PLUGIN
Music Request Manager
CVE-2024-6019
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6887 - Giveaways And Contests By Rafflepress Plugin
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.16 does not sanitise and escape some of its Giveaways settings, which could allow high privilege users such as editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Giveaways And Contests By Rafflepress
CVE-2024-6887
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-6018 - Music Request Manager Plugin
The Music Request Manager WordPress plugin through 1.3 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Music Request Manager
CVE-2024-6018
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-6017 - Music Request Manager Plugin
The Music Request Manager WordPress plugin through 1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Music Request Manager
CVE-2024-6017
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5799 - Cm Pop Up Banners For Plugin
The CM Pop-Up Banners for WordPress plugin before 1.7.3 does not sanitise and escape some of its popup fields, which could allow high privilege users such as Contributors to perform Cross-Site Scripting attacks.
PLUGIN
Cm Pop Up Banners For
CVE-2024-5799
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-3163 - Easy Property Listings Plugin
The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Easy Property Listings
CVE-2024-3163
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5416 - Website Builder Plugin
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2.
PLUGIN
Website Builder
CVE-2024-5416
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8045 - Advanced Wordpress Backgrounds Plugin
The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Wordpress Backgrounds
CVE-2024-8045
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8440 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-8440
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-7716 - Before 3 Plugin
The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7716
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-3899 - Gallery Plugin For Wordpress
The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
PLUGIN
Gallery Plugin For Wordpress
CVE-2024-3899
Risk Score