Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-28
CVE-2024-4096 - Responsive Tabs Plugin
The Responsive Tabs WordPress plugin through 4.0.8 does not sanitise and escape some of its Tab settings, which could allow high privilege users such as Contributors and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Responsive Tabs
CVE-2024-4096
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-3113 - Whatsapp Social And Advanced Form Builder With Easy Lead Collection Plugin
The FormFlow: WhatsApp Social and Advanced Form Builder with Easy Lead Collection WordPress plugin before 2.12.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Whatsapp Social And Advanced Form Builder With Easy Lead Collection
CVE-2024-3113
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-3986 - Before 2 Plugin
The SportsPress WordPress plugin before 2.7.22 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-3986
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2024-1286 - Pmpro Membership Maps Plugin
The pmpro-membership-maps WordPress plugin before 0.7 does not prevent users with at least the contributor role from leaking sensitive information about users with a membership on the site.
PLUGIN
Pmpro Membership Maps
CVE-2024-1286
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6487 - Inline Related Posts Plugin
The Inline Related Posts WordPress plugin before 3.8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Inline Related Posts
CVE-2024-6487
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2024-5285 - Wp Affiliate Platform Plugin
The wp-affiliate-platform WordPress plugin before 6.5.2 does not have CSRF check in place when deleting affiliates, which could allow attackers to make a logged in user change delete them via a CSRF attack
PLUGIN
Wp Affiliate Platform
CVE-2024-5285
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-4483 - Email Encoder Plugin
The Email Encoder WordPress plugin before 2.2.2 does not escape the WP_Email_Encoder_Bundle_options[protection_text] parameter before outputting it back in an attribute in an admin page, leading to a Stored Cross-Site Scripting
PLUGIN
Email Encoder
CVE-2024-4483
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-5883 - Ultimate Classified Listings Plugin
The Ultimate Classified Listings WordPress plugin before 1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Ultimate Classified Listings
CVE-2024-5883
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-6362 - Ultimate Blocks Plugin
The Ultimate Blocks WordPress plugin before 3.2.0 does not validate and escape some of its post-grid block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Ultimate Blocks
CVE-2024-6362
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-6703 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ and 'btn_txt' parameters in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for attackers with the Form Manager permissions and Subscriber+ user role, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-6703
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6897 - Athemes Starter Sites Plugin
The aThemes Starter Sites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Athemes Starter Sites
CVE-2024-6897
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-6627 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's PDF View widget in all versions up to, and including, 3.11.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-6627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6521 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-6521
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6520 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-6520
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6518 - Contact Form Plugin
The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form
CVE-2024-6518
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5614 - Piotnet Addons For Elementor Plugin
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.29 via the 'pafe_posts_list' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and excerpts of future, draft, and pending blog posts.
PLUGIN
Piotnet Addons For Elementor
CVE-2024-5614
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2024-6458 - Woocommerce Product Table Plugin
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table.
PLUGIN
Woocommerce Product Table
CVE-2024-6458
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6569 - Forms For Campaign Monitor Plugin
The Campaign Monitor for WordPress plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.8.15. This is due the plugin not properly restricting direct access to /forms/views/admin/create.php and display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Forms For Campaign Monitor
CVE-2024-6569
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2024-5969 - Aiomatic Plugin
The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the email recipient and the content in the 'aiomatic_send_email' function which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.
PLUGIN
Aiomatic
CVE-2024-5969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6634 - Mastercurrency Wp Plugin
The Master Currency WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currencyconverterform shortcode in all versions up to, and including, 1.1.61 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mastercurrency Wp
CVE-2024-6634
Risk Score