Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-18
CVE-2024-4970 - Widget Bundle Plugin
The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Widget Bundle
CVE-2024-4970
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4755 - Google Cse Plugin
The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Google Cse
CVE-2024-4755
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4384 - Cssable Countdown Plugin
The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Cssable Countdown
CVE-2024-4384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4969 - Widget Bundle Plugin
The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack
PLUGIN
Widget Bundle
CVE-2024-4969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4475 - Wp Logs Book Plugin
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack
PLUGIN
Wp Logs Book
CVE-2024-4475
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4474 - Wp Logs Book Plugin
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Logs Book
CVE-2024-4474
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4377 - Dot On Paper Shortcodes Plugin
The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Dot On Paper Shortcodes
CVE-2024-4377
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-4381 - Commonsbooking Plugin
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Commonsbooking
CVE-2024-4381
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3961 - Convertkit Email Marketing Email Newsletter And Landing Pages Plugin
The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.
PLUGIN
Convertkit Email Marketing Email Newsletter And Landing Pages
CVE-2024-3961
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5344 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Plus Addons For Elementor
CVE-2024-5344
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1639 - License Manager For Woocommerce Plugin
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the "license" JS variable.
PLUGIN
License Manager For Woocommerce
CVE-2024-1639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3610 - Wp Child Theme Generator
The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen.
THEME
Wp Child Theme Generator
CVE-2024-3610
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1955 - Hide Dashboard Notifications Plugin
The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's settings.
PLUGIN
Hide Dashboard Notifications
CVE-2024-1955
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3352 - Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN Plugin
The Smush plugin for WordPress is vulnerable to unauthorized deletion of the resmush list due to a missing capability check on the delete_resmush_list() function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to delete the resmush list for Nextgen or the Media Library.
PLUGIN
Smush Image Optimization – Optimize Images | Compress & Lazy Load Images | Convert WebP | Image CDN
CVE-2023-3352
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5156 - Flatsome Theme
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Flatsome
CVE-2024-5156
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-5036 - Sina Extension For Elementor Plugin
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sina Extension For Elementor
CVE-2024-5036
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-5522 - Html5 Video Player Plugin
The HTML5 Video Player WordPress plugin before 2.5.27 does not sanitize and escape a parameter from a REST route before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Html5 Video Player
CVE-2024-5522
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-5475 - Responsive Video Embed Plugin
The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Responsive Video Embed
CVE-2024-5475
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4565 - Advanced Custom Fields Pro Plugin
The Advanced Custom Fields (ACF) WordPress plugin before 6.3, Advanced Custom Fields Pro WordPress plugin before 6.3 allows you to display custom field values for any post via shortcode without checking for the correct access
PLUGIN
Advanced Custom Fields Pro
CVE-2024-4565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5686 - Wpzoom Addons For Elementor Plugin
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Team Members widget in all versions up to, and including, 1.1.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpzoom Addons For Elementor
CVE-2024-5686
Risk Score