Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-27
CVE-2025-2319 - Ez Sql Reports Shortcode Widget And Db Backup Plugin
The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. This is due to missing or incorrect nonce validation on the 'ELISQLREPORTS_menu' function. This makes it possible for unauthenticated attackers to execute code on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Version 5.25.10 adds a nonce check, which makes this vulnerability exploitable by admins only.
PLUGIN
Ez Sql Reports Shortcode Widget And Db Backup
CVE-2025-2319
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2510 - Frndzk Expandable Bottom Bar Plugin
The Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Frndzk Expandable Bottom Bar
CVE-2025-2510
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13731 - Alert Box Block Plugin
The Alert Box Block – Display notice/alerts in the front end. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert Box block in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Alert Box Block
CVE-2024-13731
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13710 - Estatebud Properties Listings Plugin
The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Estatebud Properties Listings
CVE-2024-13710
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13690 - Wp Church Donation Plugin
The WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Church Donation
CVE-2024-13690
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2252 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
PLUGIN
Easy Digital Downloads
CVE-2025-2252
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-1320 - Teachpress Plugin
The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Teachpress
CVE-2025-1320
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-12623 - Dicom Support Plugin
The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dicom Support
CVE-2024-12623
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2224 - Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
PLUGIN
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings
CVE-2025-2224
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-0845 - DesignThemes Core Features
The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
DesignThemes Core Features
CVE-2025-0845
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-9770 - Before 16 Plugin
The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 16
CVE-2024-9770
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-1452 - Before 2 Plugin
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2025-1452
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-13617 - Downloadable By American Osteopathic Association Plugin
The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server
PLUGIN
Downloadable By American Osteopathic Association
CVE-2024-13617
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-13618 - Downloadable By American Osteopathic Association Plugin
The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
PLUGIN
Downloadable By American Osteopathic Association
CVE-2024-13618
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13863 - Before 4 Plugin
The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2024-13863
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13118 - Ip Based Login Plugin
The IP Based Login WordPress plugin before 2.4.1 does not have CSRF checks in some places, which could allow attackers to make logged in users delete all logs via a CSRF attack
PLUGIN
Ip Based Login
CVE-2024-13118
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-13123 - Before 1 Plugin
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-13123
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-13122 - Before 1 Plugin
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-13122
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-12769 - Simple Banner Plugin
The Simple Banner WordPress plugin before 3.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Simple Banner
CVE-2024-12769
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-12682 - Smart Maintenance Mode Plugin
The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Smart Maintenance Mode
CVE-2024-12682
Risk Score