Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5289 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-5289
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-5215 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Mega
CVE-2024-5215
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-5573 - Easy Table Of Contents Plugin
The Easy Table of Contents WordPress plugin before 2.0.66 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Easy Table Of Contents
CVE-2024-5573
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-5473 - Simple Photoswipe Plugin
The Simple Photoswipe WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Simple Photoswipe
CVE-2024-5473
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-5071 - Bookster Plugin
The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.
PLUGIN
Bookster
CVE-2024-5071
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5332 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Card widget in all versions up to, and including, 2.6.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2024-5332
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5199 - Spotify Play Button Plugin
The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Spotify Play Button
CVE-2024-5199
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5169 - Video Widget Plugin
The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Video Widget
CVE-2024-5169
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-4959 - Frontend Checklist Plugin
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Frontend Checklist
CVE-2024-4959
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-4957 - Frontend Checklist Plugin
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Frontend Checklist
CVE-2024-4957
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-3633 - Webp Svg Support Plugin
The WebP & SVG Support WordPress plugin through 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Webp Svg Support
CVE-2024-3633
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-5173 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Mega
CVE-2024-5173
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5451 - Website And Ecommerce Builder For Wordpress Theme
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Website And Ecommerce Builder For Wordpress
CVE-2024-5451
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32111 - WordPress Core
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25,…
CORE
WordPress Core
CVE-2024-32111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31111 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
CORE
WordPress Core
CVE-2024-31111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6307 - WordPress Core
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CORE
WordPress Core
CVE-2024-6307
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3249 - Zita Elementor Site Library Plugin
The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.
PLUGIN
Zita Elementor Site Library
CVE-2024-3249
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4759 - Mime Types Extended Plugin
The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Mime Types Extended
CVE-2024-4759
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4900 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post
PLUGIN
Before 7
CVE-2024-4900
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4899 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 7
CVE-2024-4899
Risk Score