Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-01
CVE-2024-6987 - Orchid Store Plugin
The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Addonify Floating Cart For WooCommerce plugin if it is installed.
PLUGIN
Orchid Store
CVE-2024-6987
Risk Score
Threat Entry
Updated 2024-08-08
CVE-2024-6552 - Ameliabooking Plugin
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ameliabooking
CVE-2024-6552
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6254 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form submissions. This makes it possible for unauthenticated attackers to submit forms intended for public use as another user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. On sites where unfiltered_html is enabled, this can lead to the admin unknowingly adding a Stored Cross-Site Scripting…
PLUGIN
Brizy
CVE-2024-6254
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-7355 - Organization Chart Plugin
The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers.
PLUGIN
Organization Chart
CVE-2024-7355
Risk Score
Threat Entry
Updated 2024-08-07
CVE-2024-7353 - Stripe Payments Plugin
The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stripe Payments
CVE-2024-7353
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6494 - Wordpress File Upload Plugin
The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.
PLUGIN
Wordpress File Upload
CVE-2024-6494
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-3973 - House Manager Plugin
The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
House Manager
CVE-2024-3973
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-7317 - Folders Plugin
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Folders
CVE-2024-7317
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-7082 - Easy Table Of Contents Plugin
The Easy Table of Contents WordPress plugin before 2.0.68 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.
PLUGIN
Easy Table Of Contents
CVE-2024-7082
Risk Score
Threat Entry
Updated 2025-06-13
CVE-2024-6766 - Shortcodes Ultimate Pro Plugin
The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Shortcodes Ultimate Pro
CVE-2024-6766
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-7084 - Ajax Search Lite Plugin
The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks.
PLUGIN
Ajax Search Lite
CVE-2024-7084
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-6651 - Wordpress File Upload Plugin
The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wordpress File Upload
CVE-2024-6651
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-5708 - Wpbakery Page Builder Plugin
The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbakery Page Builder
CVE-2024-5708
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-41816 - Cooked Plugin
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
PLUGIN
Cooked
CVE-2024-41816
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-5081 - Wp Emember Plugin
The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Wp Emember
CVE-2024-5081
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-6710 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-6710
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-3636 - Pinpoint Booking System Plugin
The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Pinpoint Booking System
CVE-2024-3636
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-6498 - Before 2 Plugin
The Chatbot for WordPress by Collect.chat ⚡️ WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2024-6498
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-6270 - Community Events Plugin
The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Community Events
CVE-2024-6270
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6872 - Templatespare Plugin
The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'templatespare_activate_required_theme' and 'templatespare_get_theme_status' functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate any installed theme and read any theme status. If the attacker attempts to activate a theme that is not installed, a…
PLUGIN
Templatespare
CVE-2024-6872
Risk Score