Threat Entry Updated 2025-01-15

CVE-2024-3994 - Tutor Lms Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tutor Lms

CVE-2024-3994

MEDIUM CVSS 5.4 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-10

CVE-2024-3733 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status.

PLUGIN Essential Addons For Elementor

CVE-2024-3733

MEDIUM CVSS 5.3 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-07

CVE-2024-3988 - Sina Extension For Elementor Plugin

The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sina Fancy Text Widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sina Extension For Elementor

CVE-2024-3988

MEDIUM CVSS 6.4 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-3929 - Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) Plugin

The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode)

CVE-2024-3929

MEDIUM CVSS 6.4 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-04-23

CVE-2024-3893 - Classified Listing Plugin

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements.

PLUGIN Classified Listing

CVE-2024-3893

MEDIUM CVSS 5.3 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-14

CVE-2024-2907 - Before 7 Plugin

The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 7

CVE-2024-2907

MEDIUM CVSS 6.8 2024-04-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-32835 - Import Export WordPress Users Plugin

Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3.

PLUGIN Import Export WordPress Users

CVE-2024-32835

MEDIUM CVSS 5.4 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-32788 - FG Joomla to WordPress Plugin

Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Joomla to WordPress.This issue affects FG Joomla to WordPress: from n/a through 4.20.2.

PLUGIN FG Joomla to WordPress

CVE-2024-32788

MEDIUM CVSS 5.3 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-1756 - Woocommerce Customers Manager Plugin

The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name

PLUGIN Woocommerce Customers Manager

CVE-2024-1756

MEDIUM CVSS 6.5 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-2404 - Better Comments Plugin

The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.

PLUGIN Better Comments

CVE-2024-2404

MEDIUM CVSS 5.4 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-2402 - Better Comments Plugin

The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Better Comments

CVE-2024-2402

MEDIUM CVSS 5.4 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2024-3261 - Strong Testimonials Plugin

The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed

PLUGIN Strong Testimonials

CVE-2024-3261

MEDIUM CVSS 4.8 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-08

CVE-2023-7253 - Before 2 Plugin

The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

PLUGIN Before 2

CVE-2023-7253

MEDIUM CVSS 6.1 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2024-1743 - Woocommerce Customers Manager Plugin

The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Woocommerce Customers Manager

CVE-2024-1743

MEDIUM CVSS 5.9 2024-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-05

CVE-2024-2477 - Wpdiscuz Plugin

The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpdiscuz

CVE-2024-2477

MEDIUM CVSS 6.4 2024-04-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-3491 - Schema & Structured Data for WP & AMP Plugin

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Schema & Structured Data for WP & AMP

CVE-2024-3491

MEDIUM CVSS 6.4 2024-04-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-03-24

CVE-2024-3732 - Geodirectory Plugin

The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gd_single_tabs' shortcode in all versions up to, and including, 2.3.48 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Geodirectory

CVE-2024-3732

MEDIUM CVSS 6.4 2024-04-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-10-15

CVE-2024-3665 - Seo Plugin

The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seo

CVE-2024-3665

MEDIUM CVSS 6.4 2024-04-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0900 - Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! Plugin

The Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts.

PLUGIN Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required!

CVE-2024-0900

MEDIUM CVSS 4.3 2024-04-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-3664 - Quick Featured Images Plugin

The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.

PLUGIN Quick Featured Images

CVE-2024-3664

MEDIUM CVSS 4.3 2024-04-23

Risk Score

Open Full Technical Breakdown