Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-2234 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not sanitise and escape some of its Post settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks
THEME
Before 2
CVE-2024-2234
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2235 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users vote on any polls, including those they don't have access to via a CSRF attack
THEME
Before 2
CVE-2024-2235
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2233 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. These include declining and accepting group invitations or leaving a group
THEME
Before 2
CVE-2024-2233
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2040 - Before 2 Theme
The Himer WordPress theme before 2.1.1 does not have CSRF checks in some places, which could allow attackers to make users join private groups via a CSRF attack
THEME
Before 2
CVE-2024-2040
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4543 - Snippet Shortcodes Plugin
The Snippet Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.4. This is due to missing or incorrect nonce validation when adding or editing shortcodes. This makes it possible for unauthenticated attackers to modify shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Snippet Shortcodes
CVE-2024-4543
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6264 - Post Meta Data Manager Plugin
The Post Meta Data Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘$meta_key’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Meta Data Manager
CVE-2024-6264
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4268 - Ultimate Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks
CVE-2024-4268
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6099 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
PLUGIN
Learnpress
CVE-2024-6099
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6088 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to bypass disabled user registration to create a new account with the default role.
PLUGIN
Learnpress
CVE-2024-6088
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6011 - Cost Calculator Builder Plugin
The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textarea.description’ parameter in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cost Calculator Builder
CVE-2024-6011
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6012 - Cost Calculator Builder Plugin
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'embed-create-page' and 'embed-insert-pages' functions in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary posts and append arbitrary content to existing posts.
PLUGIN
Cost Calculator Builder
CVE-2024-6012
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-5260 - Sina Extension For Elementor Plugin
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘read_more_text’ parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sina Extension For Elementor
CVE-2024-5260
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5545 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stm_edit_delete_user_car function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to unpublish arbitrary posts and pages.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2024-5545
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5504 - Rife Elementor Extensions Templates Plugin
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute within the plugin's Writing Effect Headline widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rife Elementor Extensions Templates
CVE-2024-5504
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3513 - Ultimate Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title tag parameter in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks
CVE-2024-3513
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5544 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the order parameter in all versions up to, and including, 3.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Media Library Assistant
CVE-2024-5544
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5219 - Easy Google Maps Plugin
The Easy Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 1.11.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Google Maps
CVE-2024-5219
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4627 - Rank Math Seo Plugin
The Rank Math SEO WordPress plugin before 1.0.219 does not sanitise and escape some of its settings, which could allow users with access to the General Settings (by default admin, however such access can be given to lower roles via the Role Manager feature of the Rank Math SEO WordPress plugin before 1.0.219) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Rank Math Seo
CVE-2024-4627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3999 - Before 2 Plugin
The EazyDocs WordPress plugin before 2.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-3999
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1427 - Post Grid Plugin
The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the section title tag attribute in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Grid
CVE-2024-1427
Risk Score