Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-08-12
CVE-2024-7416 - Reveal Template Plugin
The Reveal Template plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.7. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Reveal Template
CVE-2024-7416
Risk Score
Threat Entry
Updated 2024-08-12
CVE-2024-7414 - Pdf Builder For Wpforms Plugin
The PDF Builder for WPForms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.116. This is due to the plugin allowing direct access to the composer-setup.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Pdf Builder For Wpforms
CVE-2024-7414
Risk Score
Threat Entry
Updated 2024-08-12
CVE-2024-7413 - Obfuscate Email Plugin
The Obfuscate Email plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.8.1. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Obfuscate Email
CVE-2024-7413
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-7412 - No Update Nag Plugin
The No Update Nag plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.12. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
No Update Nag
CVE-2024-7412
Risk Score
Threat Entry
Updated 2024-08-12
CVE-2024-7410 - My Custom Css Plugin
The My Custom CSS PHP & ADS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.3. This is due the plugin not preventing direct access to the /my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php file and and the file displaying/generating the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected…
PLUGIN
My Custom Css
CVE-2024-7410
Risk Score
Threat Entry
Updated 2024-08-12
CVE-2024-7382 - Linkify Text Plugin
The Linkify Text plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.9.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Linkify Text
CVE-2024-7382
Risk Score
Threat Entry
Updated 2024-08-12
CVE-2024-6562 - Affiliate Toolkit Starter Plugin
The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.5. This is due display_errors being set to true . This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Affiliate Toolkit Starter
CVE-2024-6562
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6691 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6691
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6133 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6133
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6136 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Wp Cart For Digital Products
CVE-2024-6136
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6134 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6134
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6158 - Category Posts Widget Plugin
The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Category Posts Widget
CVE-2024-6158
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4359 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Element Pack
CVE-2024-4359
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4360 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-4360
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6884 - Gutenberg Blocks With Ai By Kadence Wp Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Gutenberg Blocks With Ai By Kadence Wp
CVE-2024-6884
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-6824 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.
PLUGIN
Premium Addons For Elementor
CVE-2024-6824
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-5226 - Fuse Social Floating Sidebar Plugin
The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fuse Social Floating Sidebar
CVE-2024-5226
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-6481 - Before 2 Plugin
The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-6481
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-5668 - Foobox Plugin
The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foobox
CVE-2024-5668
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6869 - Falang Plugin
The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.3.52. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete translations and expose the administrator email address.
PLUGIN
Falang
CVE-2024-6869
Risk Score