Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-11
CVE-2024-5309 - Form Vibes Plugin
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the fv_export_csv, reset_settings, save_settings, save_columns_settings, get_analytics_data, get_event_logs_data, delete_submissions, and get_submissions functions in all versions up to, and including, 1.4.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple unauthorized actions. NOTE: This vulnerability is partially fixed in version 1.4.12.
PLUGIN
Form Vibes
CVE-2024-5309
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6835 - Ivory Search Plugin
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.5.6 via the ajax_load_posts function. This makes it possible for unauthenticated attackers to extract text data from password-protected posts using the boolean-based attack on the AJAX search form
PLUGIN
Ivory Search
CVE-2024-6835
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-6846 - Chatbot With Chatgpt Plugin
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not validate access on some REST routes, allowing for an unauthenticated user to purge error and chat logs
PLUGIN
Chatbot With Chatgpt
CVE-2024-6846
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7870 - Pixelyoursite Plugin
The PixelYourSite – Your smart PIXEL (TAG) & API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files.
PLUGIN
Pixelyoursite
CVE-2024-7870
Risk Score
Threat Entry
Updated 2024-10-05
CVE-2024-8318 - Attributes For Blocks Plugin
The Attributes for Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributesForBlocks’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Attributes For Blocks
CVE-2024-8318
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8123 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents.
PLUGIN
Wp Extended
CVE-2024-8123
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8106 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.8 via the download_user_ajax function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including usernames, hashed passwords, and emails.
PLUGIN
Wp Extended
CVE-2024-8106
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8119 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Extended
CVE-2024-8119
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8117 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘selected_option’ parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Extended
CVE-2024-8117
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8121 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change an admin's username to a username of their liking as long as the default 'admin' was used.
PLUGIN
Wp Extended
CVE-2024-8121
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8325 - Blockspare Plugin
The Blockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the ‘blockspare_render_social_sharing_block’ function in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blockspare
CVE-2024-8325
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6020 - Sign Up Sheets Plugin
The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $_SERVER['REQUEST_URI'] parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting.
PLUGIN
Sign Up Sheets
CVE-2024-6020
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7786 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
PLUGIN
Before 4
CVE-2024-7786
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6889 - Secure Copy Content Protection And Content Locking Plugin
The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Secure Copy Content Protection And Content Locking
CVE-2024-6889
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6888 - Secure Copy Content Protection And Content Locking Plugin
The Secure Copy Content Protection and Content Locking WordPress plugin before 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Secure Copy Content Protection And Content Locking
CVE-2024-6888
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6722 - Chatbot Support Ai Plugin
The Chatbot Support AI: Free ChatGPT Chatbot, Woocommerce Chatbot WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Chatbot Support Ai
CVE-2024-6722
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7692 - Flaming Forms Plugin
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Flaming Forms
CVE-2024-7692
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7691 - Flaming Forms Plugin
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators.
PLUGIN
Flaming Forms
CVE-2024-7691
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7354 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2024-7354
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7690 - Dn Popup Plugin
The DN Popup WordPress plugin through 1.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Dn Popup
CVE-2024-7690
Risk Score