Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-04
CVE-2024-5229 - Primary Addon For Elementor Plugin
The Primary Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Primary Addon For Elementor
CVE-2024-5229
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-4858 - Testimonial Carousel For Elementor Plugin
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature.
PLUGIN
Testimonial Carousel For Elementor
CVE-2024-4858
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-5220 - Nd Shortcodes Plugin
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nd Shortcodes
CVE-2024-5220
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-4037 - Wp Photo Album Plus Plugin
The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Wp Photo Album Plus
CVE-2024-4037
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-4366 - Spectra Plugin
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘block_id’ parameter in versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra
CVE-2024-4366
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-5060 - Lottiefiles Plugin
The LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lottiefiles
CVE-2024-5060
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4485 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_custom_attributes’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plus Addons For Elementor
CVE-2024-4485
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4484 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘xai_username’ parameter in versions up to, and including, 5.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plus Addons For Elementor
CVE-2024-4484
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-1376 - Event Post Plugin
The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the save_bulkdatas function in all versions up to, and including, 5.9.4. This makes it possible for authenticated attackers, with subscriber access or higher, to update post_meta_data.
PLUGIN
Event Post
CVE-2024-1376
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-1332 - Custom Fonts Plugin
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Custom Fonts
CVE-2024-1332
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-0893 - Schema App Structured Data Plugin
The Schema App Structured Data plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MarkupUpdate function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber access or higher, to update or delete post metadata.
PLUGIN
Schema App Structured Data
CVE-2024-0893
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-3718 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Plus Addons For Elementor
CVE-2024-3718
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-1134 - Seopress Plugin
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SEO title and description parameters as well as others in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seopress
CVE-2024-1134
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-3557 - Wp Go Maps Plugin
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpgmza shortcode in all versions up to, and including, 9.0.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Go Maps
CVE-2024-3557
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-2784 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Plus Addons For Elementor
CVE-2024-2784
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-2618 - Elementor Header Footer Builder Plugin
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Header Footer Builder
CVE-2024-2618
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5205 - Videojs Html5 Player Plugin
The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojs_video shortcode in all versions up to, and including, 1.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Videojs Html5 Player
CVE-2024-5205
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4409 - Wp Vipergb Plugin
The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Vipergb
CVE-2024-4409
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4365 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_iframe_url_as_param_direct’ parameter in versions up to, and including, 2024.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2024-4365
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-1803 - Embedpress Plugin
The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of functionality due to insufficient authorization validation on the PDF embed block in all versions up to, and including, 3.9.12. This makes it possible for authenticated attackers, with contributor-level access and above, to embed PDF blocks.
PLUGIN
Embedpress
CVE-2024-1803
Risk Score