Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-13
CVE-2024-13222 - User Messages Plugin
The User Messages WordPress plugin through 1.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
User Messages
CVE-2024-13222
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13221 - Fantastic Elasticsearch Plugin
The Fantastic ElasticSearch WordPress plugin through 4.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Fantastic Elasticsearch
CVE-2024-13221
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13220 - Google Map Professional Plugin
The WordPress Google Map Professional (Map In Your Language) WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Google Map Professional
CVE-2024-13220
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-13219 - Privacy Policy Genius Plugin
The Privacy Policy Genius WordPress plugin through 2.0.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Privacy Policy Genius
CVE-2024-13219
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2024-13218 - Fast Tube Plugin
The Fast Tube WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Fast Tube
CVE-2024-13218
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-13112 - Wp Mediatagger Plugin
The WP MediaTagger WordPress plugin through 4.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Mediatagger
CVE-2024-13112
Risk Score
Threat Entry
Updated 2025-05-11
CVE-2024-13101 - Wp Mediatagger Plugin
The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Wp Mediatagger
CVE-2024-13101
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13216 - Ht Event Plugin
The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.
PLUGIN
Ht Event
CVE-2024-13216
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-11886 - Lead Capturing Call To Actions By Vcita Plugin
The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler ' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lead Capturing Call To Actions By Vcita
CVE-2024-11886
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13100 - Opsi Israel Domestic Shipments Plugin
The OPSI Israel Domestic Shipments WordPress plugin through 2.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Opsi Israel Domestic Shipments
CVE-2024-13100
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-12275 - Canvasflow Plugin
The Canvasflow for WordPress plugin through 1.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Canvasflow
CVE-2024-12275
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-12772 - Ninja Tables Plugin
The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.
PLUGIN
Ninja Tables
CVE-2024-12772
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-12872 - Zalomeni Plugin
The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Zalomeni
CVE-2024-12872
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-0493 - Multivendorx Plugin
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included
PLUGIN
Multivendorx
CVE-2025-0493
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2025-0507 - Ticketmeo – Sell Tickets – Event Ticketing Plugin
The Ticketmeo – Sell Tickets – Event Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ticketmeo – Sell Tickets – Event Ticketing
CVE-2025-0507
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-10867 - Borderless Plugin
The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Borderless
CVE-2024-10867
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-0470 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Forminator Forms
CVE-2025-0470
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13463 - Seatreg Plugin
The SeatReg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'seatreg' shortcode in all versions up to, and including, 1.56.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seatreg
CVE-2024-13463
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13767 - Live 2d Plugin
The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Live 2d
CVE-2024-13767
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-13399 - Gosign Posts Slider Block Plugin
The Gosign – Posts Slider Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posts-slider-block' block in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gosign Posts Slider Block
CVE-2024-13399
Risk Score