Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-18
CVE-2024-7727 - Html5 Video Player Plugin
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
PLUGIN
Html5 Video Player
CVE-2024-7727
Risk Score
Threat Entry
Updated 2024-09-18
CVE-2024-7721 - Html5 Video Player Plugin
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled.
PLUGIN
Html5 Video Player
CVE-2024-7721
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6282 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link.
PLUGIN
Master Addons
CVE-2024-6282
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8369 - Eventprime Plugin
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events.
PLUGIN
Eventprime
CVE-2024-8369
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8543 - Slider Comparison Image Before And After Plugin
The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slider Comparison Image Before And After
CVE-2024-8543
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8241 - Nova Blocks Plugin
The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute of the 'wp:separator' Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nova Blocks
CVE-2024-8241
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2023-2919 - Tutor Plugin
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tutor
CVE-2023-2919
Risk Score
Threat Entry
Updated 2024-09-19
CVE-2024-7655 - Peepso Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Peepso
CVE-2024-7655
Risk Score
Threat Entry
Updated 2024-09-19
CVE-2024-7618 - Peepso Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Peepso
CVE-2024-7618
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-7955 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7955
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-7891 - Floating Contact Button Plugin
The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Floating Contact Button
CVE-2024-7891
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7688 - Azindex Plugin
The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack
PLUGIN
Azindex
CVE-2024-7688
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7918 - Pocket Widget Plugin
The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Pocket Widget
CVE-2024-7918
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6910 - Before 2 Plugin
The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 2
CVE-2024-6910
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7689 - Snapshot Backup Plugin
The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Snapshot Backup
CVE-2024-7689
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7687 - Azindex Plugin
The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Azindex
CVE-2024-7687
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-5561 - Before 1 Plugin
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-5561
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6859 - Wp Multitasking Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Wp Multitasking
CVE-2024-6859
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6925 - Before 1 Plugin
The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Before 1
CVE-2024-6925
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6856 - Wp Multitasking Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Multitasking
CVE-2024-6856
Risk Score