Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-05
CVE-2023-6731 - Wp Show Posts Plugin
The WP Show Posts plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with subscriber access and above, to view arbitrary post metadata, list posts, and view terms and taxonomies.
PLUGIN
Wp Show Posts
CVE-2023-6731
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3005 - La Studio Element Kit For Elementor Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's LaStudioKit Post Author widget in all versions up to, and including, 1.3.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
La Studio Element Kit For Elementor
CVE-2024-3005
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-3883 - 3d Flipbook Plugin
The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Bookmark URL field in all versions up to, and including, 1.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
3d Flipbook
CVE-2024-3883
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3280 - Follow Us Badges Plugin
The Follow Us Badges plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsite_follow_us_badges shortcode in all versions up to, and including, 3.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Follow Us Badges
CVE-2024-3280
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-3490 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Maker
CVE-2024-3490
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3478 - Herd Effects Plugin
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks
PLUGIN
Herd Effects
CVE-2024-3478
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3481 - Before 1 Plugin
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
PLUGIN
Before 1
CVE-2024-3481
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3472 - Modal Window Plugin
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Modal Window
CVE-2024-3472
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3477 - Before 2 Plugin
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks
PLUGIN
Before 2
CVE-2024-3477
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2405 - Before 6 Plugin
The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.
PLUGIN
Before 6
CVE-2024-2405
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-0334 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jeg Elementor Kit
CVE-2024-0334
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3591 - Geo Controller Plugin
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Geo Controller
CVE-2024-3591
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3072 - Acf Front End Editor Plugin
The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data.
PLUGIN
Acf Front End Editor
CVE-2024-3072
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1371 - Leadconnector Plugin
The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts.
PLUGIN
Leadconnector
CVE-2024-1371
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0216 - Google Doc Embedder Plugin
The Google Doc Embedder plugin for WordPress is vulnerable to Server Side Request Forgery via the 'gview' shortcode in versions up to, and including, 2.6.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Google Doc Embedder
CVE-2024-0216
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-1905 - Before 2 Plugin
The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-1905
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-3309 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget's attributes in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Qi Addons For Elementor
CVE-2024-3309
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2838 - Wpc Composite Products For Woocommerce Plugin
The WPC Composite Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooco_components[0][name]' parameter in all versions up to, and including, 7.2.7 due to insufficient input sanitization and output escaping and missing authorization on the ajax_save_components function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpc Composite Products For Woocommerce
CVE-2024-2838
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-2258 - Form Maker Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name autofilled into forms in all versions up to, and including, 1.15.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Form Maker
CVE-2024-2258
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-33696 - WordPress Ad Widget Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Broadstreet XPRESS WordPress Ad Widget allows Stored XSS.This issue affects WordPress Ad Widget: from n/a through 2.20.0.
PLUGIN
WordPress Ad Widget
CVE-2024-33696
Risk Score