Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-27
CVE-2024-2791 - Metform Elementor Contact Form Builder Plugin
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Metform Elementor Contact Form Builder
CVE-2024-2791
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-1274 - Before 3 Plugin
The My Calendar WordPress plugin before 3.4.24 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks (depending on the permissions set by the admin)
PLUGIN
Before 3
CVE-2024-1274
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2024-1504 - Secupress Plugin
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce validation on the secupress_blackhole_ban_ip() function. This makes it possible for unauthenticated attackers to block a user's IP via a forged request granted they can trick the user into performing an action such as clicking on a link.
PLUGIN
Secupress
CVE-2024-1504
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2369 - Page Builder Gutenberg Blocks Plugin
The Page Builder Gutenberg Blocks WordPress plugin before 3.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Page Builder Gutenberg Blocks
CVE-2024-2369
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-2278 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not sanitise and escape some of its Filters settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-2278
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-1526 - Before 1 Plugin
The Hubbub Lite WordPress plugin before 1.33.1 does not ensure that user have access to password protected post before displaying its content in a meta tag.
PLUGIN
Before 1
CVE-2024-1526
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2263 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2024-2263
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2262 - Before 1 Plugin
Themify WordPress plugin before 1.4.4 does not have CSRF check in its bulk action, which could allow attackers to make logged in users delete arbitrary filters via CSRF attack, granted they know the related filter slugs
PLUGIN
Before 1
CVE-2024-2262
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31104 - GetResponse for WordPress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GetResponse GetResponse for WordPress allows Stored XSS.This issue affects GetResponse for WordPress: from n/a through 5.5.33.
PLUGIN
GetResponse for WordPress
CVE-2024-31104
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-31108 - Iflychat Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iFlyChat Team iFlyChat – WordPress Chat iflychat allows Stored XSS.This issue affects iFlyChat – WordPress Chat: from n/a through 4.7.2.
PLUGIN
Iflychat
CVE-2024-31108
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-2491 - Powerpack Addons For Elementor Plugin
The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the *_html_tag* attribute of multiple widgets in all versions up to, and including, 2.7.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpack Addons For Elementor
CVE-2024-2491
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2144 - Ultimate Addons For Beaver Builder Plugin
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Separator widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Beaver Builder
CVE-2024-2144
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2143 - Ultimate Addons For Beaver Builder Plugin
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Heading widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Beaver Builder
CVE-2024-2143
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2142 - Ultimate Addons For Beaver Builder Plugin
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Info Table widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Beaver Builder
CVE-2024-2142
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2141 - Ultimate Addons For Beaver Builder Plugin
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Beaver Builder
CVE-2024-2141
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-2140 - Ultimate Addons For Beaver Builder Plugin
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Icons widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Beaver Builder
CVE-2024-2140
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2794 - Gutenberg Block Editor Toolkit – EditorsKit Plugin
The Gutenberg Block Editor Toolkit – EditorsKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'editorskit' shortcode in all versions up to, and including, 1.40.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Block Editor Toolkit – EditorsKit
CVE-2024-2794
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1692 - BoldGrid Easy SEO – Simple and Effective SEO Plugin
The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the meta description field in all versions up to, and including, 1.6.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
BoldGrid Easy SEO – Simple and Effective SEO
CVE-2024-1692
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1238 - Elements Kit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button ID parameter in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elements Kit Elementor Addons
CVE-2024-1238
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1051 - List Category Posts Plugin
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
List Category Posts
CVE-2024-1051
Risk Score