Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5141 - Rotating Tweets Plugin
The Rotating Tweets (Twitter widget and shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's' 'rotatingtweets' in all versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rotating Tweets
CVE-2024-5141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4707 - Materialis Companion Plugin
The Materialis Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's materialis_contact_form shortcode in all versions up to, and including, 1.3.41 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Materialis Companion
CVE-2024-4707
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4608 - Sellkit Plugin
The SellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sellkit
CVE-2024-4608
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4459 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget's titles in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Themesflat Addons For Elementor
CVE-2024-4459
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4458 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in several widgets via URL parameters in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Themesflat Addons For Elementor
CVE-2024-4458
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4364 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button widgets in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Qi Addons For Elementor
CVE-2024-4364
Risk Score
Threat Entry
Updated 2025-02-13
CVE-2024-4212 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TF Group Image, TF Nav Menu, TF Posts, TF Woo Product Grid, TF Accordion, and TF Image Box widgets in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Themesflat Addons For Elementor
CVE-2024-4212
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2922 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget tags in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Themesflat Addons For Elementor
CVE-2024-2922
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1175 - Wp Recall Plugin
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_payment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete arbitrary payments.
PLUGIN
Wp Recall
CVE-2024-1175
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0972 - Buddypress Members Only Plugin
The BuddyPress Members Only plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.5 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "All Other Sections On Your Site Will be Opened to Guest" feature (when unset) and view restricted page and post content.
PLUGIN
Buddypress Members Only
CVE-2024-0972
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2017 - Countdown Builder Plugin
The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the conditionsRow and switchCountdown functions in all versions up to, and including, 2.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject PHP Objects and modify the status of countdowns.
PLUGIN
Countdown Builder
CVE-2024-2017
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5342 - Simple Image Popup Shortcode Plugin
The Simple Image Popup Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sips_popup' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Image Popup Shortcode
CVE-2024-5342
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5224 - Easy Social Like Box Popup Sidebar Widget Plugin
The Easy Social Like Box – Popup – Sidebar Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cardoza_facebook_like_box' shortcode in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Social Like Box Popup Sidebar Widget
CVE-2024-5224
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5001 - Image Hover Effects With Carousel Plugin
The Image Hover Effects for Elementor with Lightbox and Flipbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_id', 'oxi_addons_f_title_tag', and 'content_description_tag' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Image Hover Effects With Carousel
CVE-2024-5001
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4942 - Custom Dash Plugin
The Custom Dash plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Custom Dash
CVE-2024-4942
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4194 - The Album And Image Gallery Plus Lightbox Plugin
The The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Album And Image Gallery Plus Lightbox
CVE-2024-4194
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4705 - Testimonials Widget Plugin
The Testimonials Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonials shortcode in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Testimonials Widget
CVE-2024-4705
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2350 - Clever Addons For Elementor Plugin
The Clever Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CAFE Icon, CAFE Team Member, and CAFE Slider widgets in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Clever Addons For Elementor
CVE-2024-2350
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0910 - Restrict For Elementor Plugin
The Restrict for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.6 due to improper restrictions on hidden data that make it accessible through the REST API. This makes it possible for unauthenticated attackers to extract potentially sensitive data from post content.
PLUGIN
Restrict For Elementor
CVE-2024-0910
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4788 - Boostify Header Footer Builder For Elementor Plugin
The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content.
PLUGIN
Boostify Header Footer Builder For Elementor
CVE-2024-4788
Risk Score