Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-15
CVE-2024-1502 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
PLUGIN
Tutor Lms
CVE-2024-1502
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1503 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.
PLUGIN
Tutor Lms
CVE-2024-1503
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2024-1450 - Shariff Wrapper Plugin
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shariff Wrapper
CVE-2024-1450
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1326 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jeg Elementor Kit
CVE-2024-1326
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-1278 - Easy Social Feed Plugin
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efb_likebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Social Feed
CVE-2024-1278
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-1213 - Easy Social Feed Plugin
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esf_insta_save_access_token and efbl_save_facebook_access_token functions. This makes it possible for unauthenticated attackers to connect their facebook and instagram pages to the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Social Feed
CVE-2024-1213
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-1214 - Easy Social Feed Plugin
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the save_groups_list function. This makes it possible for unauthenticated attackers to disconnect a site's facebook or instagram page/group connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Social Feed
CVE-2024-1214
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2024-0966 - Shariff Wrapper Plugin
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon.
PLUGIN
Shariff Wrapper
CVE-2024-0966
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2023-6500 - Shariff Wrapper Plugin
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and 'maincolor'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shariff Wrapper
CVE-2023-6500
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2304 - Animated Headline Plugin
The Animated Headline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animated-headline' shortcode in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Animated Headline
CVE-2024-2304
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2129 - Wpbits Addons For Elementor Page Builder Plugin
The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's heading widget in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbits Addons For Elementor Page Builder
CVE-2024-2129
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1477 - Easy Maintenance Mode Plugin
The Easy Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.2 via the REST API. This makes it possible for authenticated attackers to obtain post and page content via REST API thus bypassign the protection provided by the plugin.
PLUGIN
Easy Maintenance Mode
CVE-2024-1477
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2024-1473 - Coming Soon Maintenance Mode Plugin
The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus bypassing maintenance mode protection provided by the plugin.
PLUGIN
Coming Soon Maintenance Mode
CVE-2024-1473
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1844 - RevivePress – Keep your Old Content Evergreen Plugin
The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the import_data and copy_data functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them.
PLUGIN
RevivePress – Keep your Old Content Evergreen
CVE-2024-1844
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2024-1379 - Website Article Monetization Plugin
The Website Article Monetization By MageNet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'abp_auth_key' parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping and a missing authorization check. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Website Article Monetization
CVE-2024-1379
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1181 - coming_soon\,_under_construction_\&_maintenance_mode_by_dazzler Plugin
The Coming Soon, Under Construction & Maintenance Mode By Dazzler plugin for WordPress is vulnerable to maintenance mode bypass in all versions up to, and including, 2.1.2. This is due to the plugin relying on the REQUEST_URI to determine if the page being accesses is an admin area. This makes it possible for unauthenticated attackers to bypass maintenance mode and access the site which may be considered confidential when in maintenance mode.
PLUGIN
coming_soon\,_under_construction_\&_maintenance_mode_by_dazzler
CVE-2024-1181
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-1325 - Woomotiv Plugin
The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.3. This is due to missing or incorrect nonce validation on the 'ajax_cancel_review' function. This makes it possible for unauthenticated attackers to reset the site's review count via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woomotiv
CVE-2024-1325
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1119 - Order Tip For Woocommerce Plugin
The Order Tip for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_tips_to_csv() function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to export the plugin's order fees.
PLUGIN
Order Tip For Woocommerce
CVE-2024-1119
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-2538 - Permalink Manager Lite Plugin
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and above, to modify the permalinks of arbitrary posts.
PLUGIN
Permalink Manager Lite
CVE-2024-2538
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2474 - Standout Color Boxes And Buttons Plugin
The Standout Color Boxes and Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'color-button' shortcode in all versions up to, and including, 0.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Standout Color Boxes And Buttons
CVE-2024-2474
Risk Score