Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-12
CVE-2024-7304 - Ninja Tables Plugin
The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Ninja Tables
CVE-2024-7304
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-6804 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Jeg Elementor Kit
CVE-2024-6804
Risk Score
Threat Entry
Updated 2024-08-27
CVE-2024-6688 - Oxygen Builder Plugin
The Oxygen Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the oxy_save_css_from_admin AJAX action in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update stylesheets.
PLUGIN
Oxygen Builder
CVE-2024-6688
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-43269 - Backup And Restore Wordpress Plugin
Cross-Site Request Forgery (CSRF) vulnerability in WPBackItUp Backup and Restore WordPress.This issue affects Backup and Restore WordPress: from n/a through 1.50.
PLUGIN
Backup And Restore Wordpress
CVE-2024-43269
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-43257 - Leopard Plugin
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Nouthemes Leopard - WordPress offload media.This issue affects Leopard - WordPress offload media: from n/a through 2.0.36.
PLUGIN
Leopard
CVE-2024-43257
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-7313 - Shield Security Plugin
The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Shield Security
CVE-2024-7313
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-6879 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks.
PLUGIN
Before 9
CVE-2024-6879
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6499 - Maxbuttons Plugin
The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 9.7.8. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.
PLUGIN
Maxbuttons
CVE-2024-6499
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-2254 - Rt Easy Builder Plugin
The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rt Easy Builder
CVE-2024-2254
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-6631 - Imagerecycle Pdf Image Compression Plugin
The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 3.1.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions, such as updating plugin settings.
PLUGIN
Imagerecycle Pdf Image Compression
CVE-2024-6631
Risk Score
Threat Entry
Updated 2024-09-17
CVE-2024-8120 - Imagerecycle Pdf Image Compression Plugin
The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.14. This is due to missing or incorrect nonce validation on several functions in the class/class-image-otimizer.php file. This makes it possible for unauthenticated attackers to update plugin settings along with performing other actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imagerecycle Pdf Image Compression
CVE-2024-8120
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2023-6987 - String Locator Plugin
The String locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'sql-column' parameter in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This required WP_DEBUG to be enabled in order to be exploited.
PLUGIN
String Locator
CVE-2023-6987
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2023-0926 - Custom Permalinks Plugin
The Custom Permalinks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.6.0 due to insufficient input sanitization and output escaping on tag names. This allows authenticated users, with editor-level permissions or greater to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, even when 'unfiltered_html' has been disabled.
PLUGIN
Custom Permalinks
CVE-2023-0926
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-5502 - Piotnet Addons Plugin
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Accordion, Dual Heading, and Vertical Timeline widgets in all versions up to, and including, 2.4.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Piotnet Addons
CVE-2024-5502
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-6715 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39
PLUGIN
Before 3
CVE-2024-6715
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-3282 - Wp Table Builder Plugin
The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Wp Table Builder
CVE-2024-3282
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7848 - User Private Files Plugin
The User Private Files – WordPress File Sharing Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.0 via the 'dpk_upvf_update_doc' due to missing validation on the 'docid' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to gain access to other user's private files.
PLUGIN
User Private Files
CVE-2024-7848
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7778 - Orbit Fox Plugin
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Orbit Fox
CVE-2024-7778
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6870 - Responsive Lightbox Plugin
The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping affecting the rl_upload_image AJAX endpoint. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
PLUGIN
Responsive Lightbox
CVE-2024-6870
Risk Score
Threat Entry
Updated 2024-11-20
CVE-2024-7836 - Builder Plugin
The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
PLUGIN
Builder
CVE-2024-7836
Risk Score