Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-1399 - Table Reservation Plugin
The Restaurant Menu – Food Ordering System – Table Reservation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Table Reservation
CVE-2024-1399
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-5868 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification.
PLUGIN
Woocommerce Social Login
CVE-2024-5868
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5263 - Elementskit Plugin
The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Motion Text and Table widgets in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit
CVE-2024-5263
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4479 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sg_general_toggle_tab_enable and sg_accordion_style attributes within the plugin's JKit - Tabs and JKit - Accordion widget, respectively, in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jeg Elementor Kit
CVE-2024-4479
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3815 - Newspaper Plugin
The Newspaper theme for WordPress is vulnerable to Stored Cross-Site Scripting via attachment meta in the archive page in all versions up to, and including, 12.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newspaper
CVE-2024-3815
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3814 - Tagdiv Composer Plugin
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'single' module in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tagdiv Composer
CVE-2024-3814
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2023 - Folders And Folders Pro Plugin
The Folders and Folders Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0 in Folders and 3.0.2 in Folders Pro via the 'handle_folders_file_upload' function. This makes it possible for authenticated attackers, with author access and above, to upload files to arbitrary locations on the server.
PLUGIN
Folders And Folders Pro
CVE-2024-2023
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-4863 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleFont’ parameter in all versions up to, and including, 3.2.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-4863
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-5994 - Wp Go Maps Plugin
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users.
PLUGIN
Wp Go Maps
CVE-2024-5994
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-5155 - Inquiry Cart Plugin
The Inquiry cart WordPress plugin through 3.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Inquiry Cart
CVE-2024-5155
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-4480 - Prayer Plugin
The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Prayer
CVE-2024-4480
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-4751 - Prayer Plugin
The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Prayer
CVE-2024-4751
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3966 - Pray For Me Plugin
The Pray For Me WordPress plugin through 1.0.4 does not sanitise and escape some parameters, which could unauthenticated visitors to perform Cross-Site Scripting attacks that trigger when an admin visits the Prayer Requests in the WP Admin
PLUGIN
Pray For Me
CVE-2024-3966
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2024-4270 - Svgmagic Plugin
The SVGMagic WordPress plugin through 1.1 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
PLUGIN
Svgmagic
CVE-2024-4270
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3978 - Wordpress Jitsi Shortcode Plugin
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Wordpress Jitsi Shortcode
CVE-2024-3978
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-3965 - Pray For Me Plugin
The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Pray For Me
CVE-2024-3965
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-4005 - Social Pixel Plugin
The Social Pixel WordPress plugin through 2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Social Pixel
CVE-2024-4005
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-3992 - Amen Plugin
The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Amen
CVE-2024-3992
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3977 - Wordpress Jitsi Shortcode Plugin
The WordPress Jitsi Shortcode WordPress plugin through 0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Wordpress Jitsi Shortcode
CVE-2024-3977
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-4271 - Svgator Plugin
The SVGator WordPress plugin through 1.2.6 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
PLUGIN
Svgator
CVE-2024-4271
Risk Score