Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-2124 - Translate WordPress and go Multilingual – Weglot Plugin
The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget/block in all versions up to, and including, 4.2.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Translate WordPress and go Multilingual – Weglot
CVE-2024-2124
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0337 - Travelpayouts Plugin
The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Travelpayouts
CVE-2024-0337
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-7246 - System Dashboard Plugin
The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks
PLUGIN
System Dashboard
CVE-2023-7246
Risk Score
Threat Entry
Updated 2025-01-27
CVE-2024-2255 - Essential Blocks Plugin
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Blocks
CVE-2024-2255
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-2460 - Gamipress Plugin
The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipress_button' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gamipress
CVE-2024-2460
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2384 - Woocommerce Pos Plugin
The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated attackers, with customer-level access and above, to view potentially sensitive information about other users by leveraging their order id
PLUGIN
Woocommerce Pos
CVE-2024-2384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1787 - Contests By Rewards Fuel Plugin
The Contests by Rewards Fuel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'update_rewards_fuel_api_key' parameter in all versions up to, and including, 2.0.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contests By Rewards Fuel
CVE-2024-1787
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2387 - Advanced Form Integration Plugin
The Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms plugin for WordPress is vulnerable to SQL Injection via the ‘integration_id’ parameter in all versions up to, and including, 1.82.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries and subsequently inject arbitrary web scripts in pages that execute if they can successfully trick a user into…
PLUGIN
Advanced Form Integration
CVE-2024-2387
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1785 - Contests By Rewards Fuel Plugin
The Contests by Rewards Fuel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.62. This is due to missing or incorrect nonce validation on the ajax_handler() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site's user with the edit_posts capability into performing an action such as clicking on a link.
PLUGIN
Contests By Rewards Fuel
CVE-2024-1785
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1995 - Smart Custom Fields Plugin
The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 4.2.2. This makes it possible for authenticated attackers, with subscrber-level access and above, to retrieve post content that is password protected and/or private.
PLUGIN
Smart Custom Fields
CVE-2024-1995
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-1401 - Profile Box Shortcode And Widget Plugin
The Profile Box Shortcode And Widget WordPress plugin before 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Profile Box Shortcode And Widget
CVE-2024-1401
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0365 - Fancy Product Designer Plugin
The Fancy Product Designer WordPress plugin before 6.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by adminstrators.
PLUGIN
Fancy Product Designer
CVE-2024-0365
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2023-6821 - Error Log Viewer By Bestwebsoft Plugin
The Error Log Viewer by BestWebSoft WordPress plugin before 1.1.3 is affected by a Directory Listing issue, allowing users to read and download PHP logs without authorization
PLUGIN
Error Log Viewer By Bestwebsoft
CVE-2023-6821
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2024-0973 - Widget For Social Page Feeds Plugin
The Widget for Social Page Feeds WordPress plugin before 6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Widget For Social Page Feeds
CVE-2024-0973
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-0711 - Buttons Shortcode And Widget Plugin
The Buttons Shortcode and Widget WordPress plugin through 1.16 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Buttons Shortcode And Widget
CVE-2024-0711
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-0820 - Before 2 Plugin
The Jobs for WordPress plugin before 2.7.4 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2024-0820
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-0719 - Tabs Shortcode And Widget Plugin
The Tabs Shortcode and Widget WordPress plugin through 1.17 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Tabs Shortcode And Widget
CVE-2024-0719
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-7085 - Through 3 Plugin
The Scalable Vector Graphics (SVG) WordPress plugin through 3.4 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Through 3
CVE-2023-7085
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-0951 - Advanced Social Feeds Widget Shortcode Plugin
The Advanced Social Feeds Widget & Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Advanced Social Feeds Widget Shortcode
CVE-2024-0951
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-7236 - Backup Bolt Plugin
The Backup Bolt WordPress plugin through 1.3.0 is vulnerable to Information Exposure via the unprotected access of debug logs. This makes it possible for unauthenticated attackers to retrieve the debug log which may contain information like system errors which could contain sensitive information.
PLUGIN
Backup Bolt
CVE-2023-7236
Risk Score