Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-19
CVE-2024-1384 - Auxinportfolio Plugin
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_recent_portfolios_grid' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Auxinportfolio
CVE-2024-1384
Risk Score
Threat Entry
Updated 2025-04-15
CVE-2024-7895 - Beaver Builder Plugin
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.8.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beaver Builder
CVE-2024-7895
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-7606 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'user-search' shortcode in all versions up to, and including, 3.2.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Front End Users
CVE-2024-7606
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-6551 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.15.1. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Givewp
CVE-2024-6551
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7132 - Page Builder Gutenberg Blocks Plugin
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.13 does not escape the content of post embed via one of its block, which could allow users with the capability to publish posts (editor and admin by default) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Page Builder Gutenberg Blocks
CVE-2024-7132
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6927 - Viral Signup Plugin
The Viral Signup WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Viral Signup
CVE-2024-6927
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7418 - Post Grid Plugin
The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.7.11 via the post_query_guten and post_query functions. This makes it possible for authenticated attackers, with contributor-level access and above, to extract information from posts that are not public (i.e. draft, future, etc..).
PLUGIN
Post Grid
CVE-2024-7418
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-5987 - Wp Accessibility Helper Plugin
The WP Accessibility Helper (WAH) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_contrast_variations' and 'save_empty_contrast_variations' functions in all versions up to, and including, 0.6.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit or delete contrast settings. Please note these issues were patched in 0.6.2.8, though it broke functionality and the vendor has not responded to our follow-ups.
PLUGIN
Wp Accessibility Helper
CVE-2024-5987
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-5417 - Before 3 Plugin
The Gutentor WordPress plugin before 3.3.6 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2024-5417
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-5857 - Funnelforms Free Plugin
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the af2_handel_file_remove AJAX action in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to delete arbitrary media files.
PLUGIN
Funnelforms Free
CVE-2024-5857
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-3944 - Wp To Do Plugin
The WP To Do plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp To Do
CVE-2024-3944
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-8195 - Permalink Manager Lite Plugin
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'debug_data', 'debug_query', and 'debug_redirect' functions in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to extract sensitive data including password, title, and content of password-protected posts.
PLUGIN
Permalink Manager Lite
CVE-2024-8195
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-7447 - Funnelforms Free Plugin
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'fnsf_af2_handel_file_upload' function in all versions up to, and including, 3.7.3.2. This makes it possible for unauthenticated attackers to upload arbitrary media to the site, even if no forms exist.
PLUGIN
Funnelforms Free
CVE-2024-7447
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-6312 - Funnelforms Free Plugin
The Funnelforms Free plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 3.7.3.2 via the 'af2DeleteFontFile' function. This is due to the plugin not properly validating a file or its path prior to deleting it. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.
PLUGIN
Funnelforms Free
CVE-2024-6312
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-6448 - Mollie Payments For Woocommerce Plugin
The Mollie Payments for WooCommerce plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 7.7.0. This is due to the error reporting being enabled by default in multiple plugin files. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
PLUGIN
Mollie Payments For Woocommerce
CVE-2024-6448
Risk Score
Threat Entry
Updated 2024-08-28
CVE-2024-7573 - Relevanssi Live Ajax Search Plugin
The Relevanssi Live Ajax Search plugin for WordPress is vulnerable to argument injection in all versions up to, and including, 2.4. This is due to insufficient validation of input supplied via POST data in the 'search' function. This makes it possible for unauthenticated attackers to inject arbitrary arguments into a WP_Query query and potentially expose sensitive information such as attachments or private posts.
PLUGIN
Relevanssi Live Ajax Search
CVE-2024-7573
Risk Score
Threat Entry
Updated 2024-08-30
CVE-2024-8200 - Reviews Feed Plugin
The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Reviews Feed
CVE-2024-8200
Risk Score
Threat Entry
Updated 2024-08-30
CVE-2024-8199 - Reviews Feed Plugin
The Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options.
PLUGIN
Reviews Feed
CVE-2024-8199
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-7791 - Xpro Addons For Elementor Plugin
The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arrow’ parameter within the Post Grid widget in all versions up to, and including, 1.4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Xpro Addons For Elementor
CVE-2024-7791
Risk Score
Threat Entry
Updated 2024-08-27
CVE-2024-8046 - Logo Showcase Ultimate Plugin
The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Logo Showcase Ultimate
CVE-2024-8046
Risk Score