Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-01
CVE-2024-6709 - Sync Post With Other Site Plugin
The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts.
PLUGIN
Sync Post With Other Site
CVE-2024-6709
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7356 - Zephyr Project Manager Plugin
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zephyr Project Manager
CVE-2024-7356
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-6390 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-6390
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6704 - Wpdiscuz Plugin
The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing is disabled.
PLUGIN
Wpdiscuz
CVE-2024-6704
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4643 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘end_redirect_link’ parameter in versions up to, and including, 5.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-4643
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-5595 - Essential Blocks Plugin
The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Essential Blocks
CVE-2024-5595
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-3827 - Spectra Plugin
The Spectra Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block ids in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra
CVE-2024-3827
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6567 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.8001. This is due to the plugin utilizing fpdi-protection and not preventing direct access to test files that have display_errors set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ebook Store
CVE-2024-6567
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-2455 - Element Pack Plugin
The Element Pack - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget wrapper link URL in all versions up to, and including, 7.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-2455
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6346 - Comboblocks Plugin
The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirectURL parameter of the Date Countdown widget, in all versions up to, and including, 2.2.85a due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Comboblocks
CVE-2024-6346
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-7302 - Blog2social Plugin
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 3gp2 file uploads in all versions up to, and including, 7.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
PLUGIN
Blog2social
CVE-2024-7302
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5330 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the breakdance_css_file_paths_cache parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Breakdance
CVE-2024-5330
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5331 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.
PLUGIN
Breakdance
CVE-2024-5331
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-6496 - Light Poll Plugin
The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks when deleting polls, which could allow attackers to make logged in users perform such action via a CSRF attack
PLUGIN
Light Poll
CVE-2024-6496
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-2843 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
PLUGIN
Woocommerce Customers Manager
CVE-2024-2843
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-4090 - And Sticky Header For Any Plugin
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
And Sticky Header For Any
CVE-2024-4090
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2024-2872 - Socialdriver Framework Plugin
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Socialdriver Framework
CVE-2024-2872
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-1747 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
PLUGIN
Woocommerce Customers Manager
CVE-2024-1747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2090 - Remote Content Shortcode Plugin
The Remote Content Shortcode plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5 via the remote_content shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Remote Content Shortcode
CVE-2024-2090
Risk Score
Threat Entry
Updated 2024-11-23
CVE-2024-6687 - Ctt Expresso Para Woocommerce Plugin
The CTT Expresso para WooCommerce plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 3.2.12 via the /wp-content/uploads/cepw directory. The generated .pdf and log files are publicly accessible and contain sensitive information such as sender and receiver names, phone numbers, physical addresses, and email addresses
PLUGIN
Ctt Expresso Para Woocommerce
CVE-2024-6687
Risk Score