Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-25
CVE-2024-13217 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.11 via the 'expired_data' and 'build_content' functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
PLUGIN
Jeg Elementor Kit
CVE-2024-13217
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1450 - Floating Chat Widget Plugin
The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button, WhatsApp – Chaty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-hover’ parameter in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Floating Chat Widget
CVE-2025-1450
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-13734 - Card Elements For Elementor Plugin
The Card Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Profile Card widget in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Card Elements For Elementor
CVE-2024-13734
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1282 - Car Dealer Automotive Plugin
The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files.
PLUGIN
Car Dealer Automotive
CVE-2025-1282
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1690 - Stripe Checkout Plugin
The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stripe Checkout
CVE-2025-1690
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1717 - Login Me Now Plugin
The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
PLUGIN
Login Me Now
CVE-2025-1717
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1689 - Paypal Checkout Plugin
The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Paypal Checkout
CVE-2025-1689
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-13907 - Total Upkeep Plugin
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.16.8 via the 'download' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Total Upkeep
CVE-2024-13907
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2025-1295 - Templines Elementor Helper Core Plugin
The Templines Elementor Helper Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.7. This is due to allowing arbitrary user meta updates. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to Administrator. The vulnerability can only be exploited when the BuddyPress plugin is also installed and activated.
PLUGIN
Templines Elementor Helper Core
CVE-2025-1295
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-2297 - Bricks Plugin
The Bricks theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.6.1. This is due to insufficient validation checks placed on the create_autosave AJAX function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code with elevated (administrator-level) privileges. NOTE: Successful exploitation requires (1) the Bricks Builder to be enabled for posts (2) Builder access to be enabled for contributor-level users, and (3) "Code Execution" to be enabled for administrator-level users within the theme's settings.
PLUGIN
Bricks
CVE-2024-2297
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-6261 - Image Photo Gallery Final Tiles Grid Plugin
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'FinalTilesGallery' shortcode in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Image Photo Gallery Final Tiles Grid
CVE-2024-6261
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-0469 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider template data in all versions up to, and including, 1.39.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forminator Forms
CVE-2025-0469
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-13905 - Onestore Sites Plugin
The OneStore Sites plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.1.1 via the class-export.php file. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Onestore Sites
CVE-2024-13905
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13647 - Sakolawp Plugin
The School Management System – SakolaWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the 'save_exam_setting' and 'delete_exam_setting' actions. This makes it possible for unauthenticated attackers to update exam settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Sakolawp
CVE-2024-13647
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1517 - Sina Extension For Elementor Plugin
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text, Countdown Widget, and Login Form shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sina Extension For Elementor
CVE-2025-1517
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2024-6810 - Quiz Organizer Plugin
The Quiz Organizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Quiz Organizer
CVE-2024-6810
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-13803 - Essential Blocks Plugin
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-marker’ parameter in all versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Blocks
CVE-2024-13803
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13633 - Simple Catalogue Plugin
The Simple catalogue WordPress plugin through 1.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Simple Catalogue
CVE-2024-13633
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13632 - Wp Extra Fields Plugin
The WP Extra Fields WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Extra Fields
CVE-2024-13632
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-13631 - Om Stripe Plugin
The Om Stripe WordPress plugin through 02.00.00 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Om Stripe
CVE-2024-13631
Risk Score