Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-4390 - Depicter Plugin
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/function. This could be used to invoke functionality that is protected only by nonce checks.
PLUGIN
Depicter
CVE-2024-4390
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4626 - Jetwidgets For Elementor Plugin
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_type’ and 'id' parameters in all versions up to, and including, 1.0.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetwidgets For Elementor
CVE-2024-4626
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3627 - Wheel Of Life Plugin
The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings.
PLUGIN
Wheel Of Life
CVE-2024-3627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3602 - Popup Builder Plugin
The Pop ups, Exit intent popups, email popups, banners, bars, countdowns and cart savers – Promolayer plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the disconnect_promolayer function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to remove the Promolayer connection.
PLUGIN
Popup Builder
CVE-2024-3602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3204 - Materialis Theme
The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value.
THEME
Materialis
CVE-2023-3204
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3558 - Custom Field Suite Plugin
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_title]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Custom Field Suite
CVE-2024-3558
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1168 - Seopress Plugin
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's social image URL in all versions up to, and including, 7.9 due to insufficient input sanitization and output escaping on user supplied image URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seopress
CVE-2024-1168
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4632 - Create High Converting Stores For Woocommerce Plugin
The WooCommerce Checkout & Funnel Builder by CartFlows – Create High Converting Stores For WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 2.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Create High Converting Stores For Woocommerce
CVE-2024-4632
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-0383 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [wprm-recipe-instructions] and [wprm-recipe-ingredients] shortcodes in all versions up to, and including, 9.1.0 due to insufficient restrictions on the 'group_tag' attribute . This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Maker
CVE-2024-0383
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2023-6495 - Yet Another Related Posts Plugin
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Yet Another Related Posts
CVE-2023-6495
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0789 - Wp Maintenance Plugin
The WP Maintenance plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 6.1.9.2 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass maintenance mode.
PLUGIN
Wp Maintenance
CVE-2024-0789
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3894 - Slider In Rbs Image Gallery Plugin
The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an Image Title in all versions up to, and including, 3.2.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slider In Rbs Image Gallery
CVE-2024-3894
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1407 - Paid Memberships Pro Plugin
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to subscribe to, modify, or cancel membership for a user via a forged request granted they can trick a user into performing an action such as clicking on a link.
PLUGIN
Paid Memberships Pro
CVE-2024-1407
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6692 - Ultimate Blocks – WordPress Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tab anchor metabox in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks – WordPress Blocks Plugin
CVE-2023-6692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5768 - Mimo Woocommerce Order Tracking Plugin
The MIMO Woocommerce Order Tracking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mimo_update_provider' function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update shipping provider information, including adding stored cross-site scripting.
PLUGIN
Mimo Woocommerce Order Tracking
CVE-2024-5768
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5649 - Universal Slider Plugin
The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Universal Slider
CVE-2024-5649
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4663 - Osm Map Elementor Plugin
The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Osm Map Elementor
CVE-2024-4663
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4623 - Blog Layouts For Elementor Plugin
The Blogmentor – Blog Layouts for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pagination_style’ parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blog Layouts For Elementor
CVE-2024-4623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4787 - WordPress Core
The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. This is due to insufficient limitations on the email recipient and the content in the 'send_pdf' and the 'send_pdf_front' functions which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.
CORE
WordPress Core
CVE-2024-4787
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4873 - Replace Image Plugin
The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins.
PLUGIN
Replace Image
CVE-2024-4873
Risk Score