Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-01
CVE-2024-1592 - Complianz Plugin
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce validation on the process_delete function in class-DNSMPD.php. This makes it possible for unauthenticated attackers to delete GDPR data requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Complianz
CVE-2024-1592
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-1120 - Finale Plugin
The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.
PLUGIN
Finale
CVE-2024-1120
Risk Score
Threat Entry
Updated 2025-01-21
CVE-2024-25594 - Mywaze Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Savvy Wordpress Development MyWaze allows Stored XSS.This issue affects MyWaze: from n/a through 1.6.
PLUGIN
Mywaze
CVE-2024-25594
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1982 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the get_restore_progress() and restore() functions in all versions up to, and including, 0.9.68. This makes it possible for unauthenticated attackers to exploit a SQL injection vulnerability or trigger a DoS.
PLUGIN
Migration Backup Staging
CVE-2024-1982
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2024-1978 - Friends Plugin
The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Friends
CVE-2024-1978
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1977 - Restaurant Solutions Checklist Plugin
The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Restaurant Solutions Checklist
CVE-2024-1977
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-1976 - Marketing Optimizer Plugin
The Marketing Optimizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20200925. This is due to missing or incorrect nonce validation via the admin/main-settings-page.php file. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Marketing Optimizer
CVE-2024-1976
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1341 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2024-1341
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-0689 - Custom Field Suite Plugin
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Custom Field Suite
CVE-2024-0689
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-1519 - Profilepress Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires a member listing page to be active and using the Gerbera theme.
PLUGIN
Profilepress
CVE-2024-1519
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-1586 - Schema Structured Data For Wp Amp Plugin
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom schema in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default the required authentication level is admin, but administrators have the ability to assign role based access to users as low as subscriber.
PLUGIN
Schema Structured Data For Wp Amp
CVE-2024-1586
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-1570 - Profilepress Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Profilepress
CVE-2024-1570
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-1496 - Featured Image From Url Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fifu_input_url parameter in all versions up to, and including, 4.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Featured Image From Url
CVE-2024-1496
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-1448 - Sassy Social Share Plugin
The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.3.56 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sassy Social Share
CVE-2024-1448
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-1492 - Woo Czech Plugin
The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known.
PLUGIN
Woo Czech
CVE-2024-1492
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1475 - Coming Soon Maintenance Mode Plugin
The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection provided by the plugin.
PLUGIN
Coming Soon Maintenance Mode
CVE-2024-1475
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1472 - Wp Maintenance Plugin
The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain post and page content via REST API.
PLUGIN
Wp Maintenance
CVE-2024-1472
Risk Score
Threat Entry
Updated 2025-02-13
CVE-2024-1447 - Sydney Toolbox Plugin
The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aThemes Slider button element in all versions up to, and including, 1.25 due to insufficient input sanitization and output escaping on user supplied link. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sydney Toolbox
CVE-2024-1447
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-1445 - Page Scroll To Id Plugin
The Page scroll to id plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Page Scroll To Id
CVE-2024-1445
Risk Score
Threat Entry
Updated 2024-12-31
CVE-2024-1425 - Embedpress Plugin
The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Calendar Widget Link in all versions up to, and including, 3.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedpress
CVE-2024-1425
Risk Score