Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-04
CVE-2024-13550 - Abc Notation Plugin
The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Abc Notation
CVE-2024-13550
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13548 - Power Ups For Elementor Plugin
The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Power Ups For Elementor
CVE-2024-13548
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13458 - Notice Faq Plugin
The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Notice Faq
CVE-2024-13458
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13441 - Bilingual Linker Plugin
The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bilingual Linker
CVE-2024-13441
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13467 - Wp Contect Form7 Email Spam Blocker Plugin
The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Contect Form7 Email Spam Blocker
CVE-2024-13467
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13370 - Youzify Plugin
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the save_addon_key_license() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options to a value of a valid license key.
PLUGIN
Youzify
CVE-2024-13370
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12885 - Connections Plugin
The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versions up to, and including, 10.4.66. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary folders on the server and all their content.
PLUGIN
Connections
CVE-2024-12885
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12817 - Etsy Importer Plugin
The Etsy Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_link' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Etsy Importer
CVE-2024-12817
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12816 - Notice Board By Towkir Plugin
The NOTICE BOARD BY TOWKIR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'notice-board' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Notice Board By Towkir
CVE-2024-12816
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-13368 - Youzify Plugin
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the youzify_offer_banner() function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary site options to a value of one.
PLUGIN
Youzify
CVE-2024-13368
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12826 - Personalize Woocommerce Cart Page Plugin
The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() function in all versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to update limited plugin settings.
PLUGIN
Personalize Woocommerce Cart Page
CVE-2024-12826
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12529 - Brodos Net Onlineshop Plugin
The brodos.net Onlineshop Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'BrodosCategory' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brodos Net Onlineshop
CVE-2024-12529
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12512 - Ask Me Anything Anonymously Plugin
The Ask Me Anything (Anonymously) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'askmeanythingpeople' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ask Me Anything Anonymously
CVE-2024-12512
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-11825 - Broadstreet Plugin
The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘zone’ parameter in all versions up to, and including, 1.50.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Broadstreet
CVE-2024-11825
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12076 - Brid Video Easy Publish Plugin
The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the resync_carousel(), seek_snapshot(), uploaded_cc(), and remove_cc() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Brid Video Easy Publish
CVE-2024-12076
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-12113 - Youzify Plugin
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_user_review() and delete_review() functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's reviews.
PLUGIN
Youzify
CVE-2024-12113
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-12600 - Custom Product Tabs Lite For Woocommerce Plugin
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…
PLUGIN
Custom Product Tabs Lite For Woocommerce
CVE-2024-12600
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-10552 - Flexmls Idx Plugin
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_key’ and 'api_secret' parameters in all versions up to, and including, 3.14.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 3.14.25.
PLUGIN
Flexmls Idx
CVE-2024-10552
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-0682 - Addons Plugin
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Addons
CVE-2025-0682
Risk Score
Threat Entry
Updated 2025-01-25
CVE-2024-13721 - Plethora Tabs Accordions Plugin
The Plethora Plugins Tabs + Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the anchor parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plethora Tabs Accordions
CVE-2024-13721
Risk Score