Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-09
CVE-2024-1289 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to obtain information on orders placed by other users and guests, which can be leveraged to sign up for paid courses that were purchased by guests. Emails of other users are also exposed.
PLUGIN
Learnpress
CVE-2024-1289
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2024-0873 - Watu Quiz Plugin
The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Watu Quiz
CVE-2024-0873
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-0826 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Qi Addons For Elementor
CVE-2024-0826
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0899 - s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
The s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 230815 via the API. This makes it possible for unauthenticated attackers to see the contents of those posts and pages.
PLUGIN
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
CVE-2024-0899
Risk Score
Threat Entry
Updated 2025-08-26
CVE-2024-0872 - Watu Quiz Plugin
The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user meta data which can include session tokens and user emails.
PLUGIN
Watu Quiz
CVE-2024-0872
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-0376 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Wrapper Link Widget in all versions up to, and including, 4.10.16 due to insufficient input sanitization and output escaping on user supplied URLs. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Premium Addons For Elementor
CVE-2024-0376
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0626 - Woocommerce Clover Payment Gateway Plugin
The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid.
PLUGIN
Woocommerce Clover Payment Gateway
CVE-2024-0626
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-0662 - Fancybox Plugin
The FancyBox for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions 3.0.2 to 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fancybox
CVE-2024-0662
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-0598 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form message settings in all versions up to and including 3.2.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-0598
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-0588 - Paid Memberships Pro Plugin
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.10. This is due to missing nonce validation on the pmpro_lifter_save_streamline_option() function. This makes it possible for unauthenticated attackers to enable the streamline setting with Lifter LMS via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Paid Memberships Pro
CVE-2024-0588
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6993 - Custom post types, Custom Fields & more Plugin
The Custom post types, Custom Fields & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode and custom post meta in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping on user supplied post meta values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Custom post types, Custom Fields & more
CVE-2023-6993
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2023-6965 - Custom Content Types And Fields Plugin
The Pods – Custom Content Types and Fields plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.10 (with the exception of 2.7.31.2, 2.8.23.2, 2.9.19.2). This is due to the fact that the plugin allows the use of a file inclusion feature via shortcode. This makes it possible for authenticated attackers, with contributor access or higher, to create pods and users (with default role).
PLUGIN
Custom Content Types And Fields
CVE-2023-6965
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2023-6695 - Beaver Themer
The Beaver Themer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the 'wpbb' shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including arbitrary user_meta values.
THEME
Beaver Themer
CVE-2023-6695
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2023-6694 - Beaver Themer
The Beaver Themer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Beaver Themer
CVE-2023-6694
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-6486 - Spectra Plugin
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS metabox in all versions up to and including 2.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra
CVE-2023-6486
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2023-6799 - Most Advanced Wordpress Reset Tool Plugin
The WP Reset – Most Advanced WordPress Reset Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 via the use of insufficiently random snapshot names. This makes it possible for unauthenticated attackers to extract sensitive data including site backups by brute-forcing the snapshot filenames. Please note that the vendor does not plan to do any further hardening on this functionality.
PLUGIN
Most Advanced Wordpress Reset Tool
CVE-2023-6799
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-6777 - Wp Go Maps Plugin
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's Google API key. While this does not affect the security of sites using this plugin, it allows unauthenticated attackers to make requests using this API key with the potential of exhausting requests resulting in an inability to use the map functionality offered…
PLUGIN
Wp Go Maps
CVE-2023-6777
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-1664 - Responsive Gallery Grid Plugin
The Responsive Gallery Grid WordPress plugin before 2.3.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Responsive Gallery Grid
CVE-2024-1664
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-1588 - Sendpress Plugin
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Sendpress
CVE-2024-1588
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1956 - Wpb Show Core Plugin
The wpb-show-core WordPress plugin before 2.7 does not sanitise and escape the parameters before outputting it back in the response of an unauthenticated request, leading to a Reflected Cross-Site Scripting
PLUGIN
Wpb Show Core
CVE-2024-1956
Risk Score