Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-28
CVE-2024-1752 - Font Farsi Plugin
The Font Farsi WordPress plugin through 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Font Farsi
CVE-2024-1752
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2024-1589 - Sendpress Plugin
The SendPress Newsletters WordPress plugin through 1.23.11.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Sendpress
CVE-2024-1589
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1958 - Wpb Show Core Plugin
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users
PLUGIN
Wpb Show Core
CVE-2024-1958
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-1292 - Wpb Show Core Plugin
The WPB Show Core WordPress plugin before 2.7 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wpb Show Core
CVE-2024-1292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31344 - Easy Login Styler – White Label Admin Login Page for WordPress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Phpbits Creative Studio Easy Login Styler – White Label Admin Login Page for WordPress allows Stored XSS.This issue affects Easy Login Styler – White Label Admin Login Page for WordPress: from n/a through 1.0.6.
PLUGIN
Easy Login Styler – White Label Admin Login Page for WordPress
CVE-2024-31344
Risk Score
Threat Entry
Updated 2025-01-14
CVE-2023-6877 - Youtube Video Feeds Aggregator Plugin
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.3.3 due to insufficient input sanitization and output escaping on the Content-Type field of error messages when retrieving an invalid RSS feed. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Youtube Video Feeds Aggregator
CVE-2023-6877
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-2132 - Ultimate Bootstrap Elements For Elementor Plugin
The Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Widget in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Bootstrap Elements For Elementor
CVE-2024-2132
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-2296 - Photo Gallery Plugin
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Photo Gallery
CVE-2024-2296
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2458 - Powerkit – Supercharge your WordPress Site Plugin
The Powerkit – Supercharge your WordPress Site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerkit – Supercharge your WordPress Site
CVE-2024-2458
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1428 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘element_pack_wrapper_link’ attribute of the Trailer Box widget in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-1428
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-0837 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image URL parameter in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-0837
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2949 - Wp Carousel Plugin
The Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the carousel widget in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Carousel
CVE-2024-2949
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-2471 - Foogallery Plugin
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image attachment fields (such as 'Title', 'Alt Text', 'Custom URL', 'Custom Class', and 'Override Type') in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foogallery
CVE-2024-2471
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2444 - Inline Related Posts Plugin
The Inline Related Posts WordPress plugin before 3.5.0 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Inline Related Posts
CVE-2024-2444
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-3216 - Woocommerce Pdf Invoices Packing Slips Delivery Notes And Shipping Labels Plugin
The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wt_pklist_reset_settings() function in all versions up to, and including, 4.4.2. This makes it possible for unauthenticated attackers to reset all of the plugin's settings.
PLUGIN
Woocommerce Pdf Invoices Packing Slips Delivery Notes And Shipping Labels
CVE-2024-3216
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2950 - Easy Seo Plugin
The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.14 via meta information (og:description) This makes it possible for unauthenticated attackers to view the first 130 characters of a password protected post which can contain sensitive information.
PLUGIN
Easy Seo
CVE-2024-2950
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2656 - Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce Plugin
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
CVE-2024-2656
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-3245 - Embedpress Plugin
The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Youtube block in all versions up to, and including, 3.9.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedpress
CVE-2024-3245
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1994 - Image Watermark Plugin
The Image Watermark plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the watermark_action_ajax() function in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to apply and remove watermarks from images.
PLUGIN
Image Watermark
CVE-2024-1994
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2499 - Squelch Tabs And Accordions Shortcodes Plugin
The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'accordions' shortcode in all versions up to, and including, 0.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Squelch Tabs And Accordions Shortcodes
CVE-2024-2499
Risk Score