Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-05
CVE-2024-2749 - Before 1 Plugin
The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categories for example) despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 configurations.
PLUGIN
Before 1
CVE-2024-2749
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1693 - Sp Client Document Manager Plugin
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cdm_save_category AJAX action in all versions up to, and including, 4.70. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary folder name that do not belong to them.
PLUGIN
Sp Client Document Manager
CVE-2024-1693
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1467 - Beaver Builder Templates Plugin
The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.6 via the ai_api_request(). This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Beaver Builder Templates
CVE-2024-1467
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1230 - Simpleshop Cz Plugin
The SimpleShop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.0. This is due to missing or incorrect nonce validation on the maybe_disconnect_simpleshop function. This makes it possible for unauthenticated attackers to disconnect the site from simpleshop via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simpleshop Cz
CVE-2024-1230
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1229 - Simpleshop Cz Plugin
The SimpleShop plugin for WordPress is vulnerable to unauthorized disconnection from SimpleShop due to a missing capability check on the maybe_disconnect_simpleshop function in all versions up to, and including, 2.10.2. This makes it possible for unauthenticated attackers to disconnect the SimpleShop.
PLUGIN
Simpleshop Cz
CVE-2024-1229
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1166 - Elementor Addon Plugin
The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Hover Effects Widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Addon
CVE-2024-1166
Risk Score
Threat Entry
Updated 2025-01-27
CVE-2024-0445 - The Plus Addons For Elementor Plugin
The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's element attributes in all versions up to, and including, 5.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-34373 is likely a duplicate of this issue.
PLUGIN
The Plus Addons For Elementor
CVE-2024-0445
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2023-6327 - Woolentor Addons Plugin
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
PLUGIN
Woolentor Addons
CVE-2023-6327
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2023-5971 - Save As Pdf Plugin By Pdfcrowd
The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Save As Pdf Plugin By Pdfcrowd
CVE-2023-5971
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34561 - Allows Stored Xss Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative interactive media 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin allows Stored XSS.This issue affects 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin: from n/a through 3.71.
PLUGIN
Allows Stored Xss
CVE-2024-34561
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-4281 - Link Library Plugin
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'link-library' shortcode in all versions up to, and including, 7.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Link Library
CVE-2024-4281
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4135 - Wp Latest Posts Plugin
The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Wp Latest Posts
CVE-2024-4135
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34573 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pootlepress Pootle Pagebuilder – WordPress Page builder allows Stored XSS.This issue affects Pootle Pagebuilder – WordPress Page builder: from n/a through 5.7.1.
CORE
WordPress Core
CVE-2024-34573
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3494 - Mesmerize Companion Plugin
The Mesmerize Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mesmerize_contact_form' shortcode in all versions up to, and including, 1.6.148 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mesmerize Companion
CVE-2024-3494
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-1076 - Before 4 Plugin
The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX.
PLUGIN
Before 4
CVE-2024-1076
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-32674 - Heateor Social Login Plugin
Heateor Social Login WordPress prior to 1.1.32 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who accessed the website using the product.
PLUGIN
Heateor Social Login
CVE-2024-32674
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6810 - Clickcease Click Fraud Protection Plugin
The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the get_settings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to retrieve the plugin's configured API keys.
PLUGIN
Clickcease Click Fraud Protection
CVE-2023-6810
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6854 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom postmeta output in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping on user supplied post meta fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Breakdance
CVE-2023-6854
Risk Score
Threat Entry
Updated 2025-04-18
CVE-2024-3755 - Mf Gig Calendar Plugin
The MF Gig Calendar WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Mf Gig Calendar
CVE-2024-3755
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3752 - Crelly Slider Plugin
The Crelly Slider WordPress plugin through 1.4.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Crelly Slider
CVE-2024-3752
Risk Score