Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-09
CVE-2024-12222 - Wc Shipos Delivery Plugin
The Deliver via Shipos for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dvsfw_bulk_label_url’ parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wc Shipos Delivery
CVE-2024-12222
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-12218 - Woocommerce Check Pincode Zipcode For Shipping Plugin
The Woocommerce check pincode/zipcode for shipping plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woocommerce Check Pincode Zipcode For Shipping
CVE-2024-12218
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-12249 - Gs Instagram Portfolio Plugin
The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings.
PLUGIN
Gs Instagram Portfolio
CVE-2024-12249
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-12206 - Pearl Plugin
The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Pearl
CVE-2024-12206
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-12067 - Wp Travel Plugin
The WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress is vulnerable to SQL Injection via the 'booking_itinerary' parameter of the 'wptravel_get_booking_data' function in all versions up to, and including, 10.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Travel
CVE-2024-12067
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-11929 - Responsive Flipbook Plugin Wordpress
The Responsive FlipBook Plugin Wordpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the rfbwp_save_settings() functionin all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Responsive Flipbook Plugin Wordpress
CVE-2024-11929
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-11907 - Skyword Plugin
The Skyword API Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skyword_iframe' shortcode in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Skyword
CVE-2024-11907
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-12122 - Resads Plugin
The ResAds plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Resads
CVE-2024-12122
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11642 - Post Grid Master Plugin
The Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.4.12 via the 'locate_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other…
PLUGIN
Post Grid Master
CVE-2024-11642
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-11815 - Posturinn Plugin
The Pósturinn\'s Shipping with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the printed_marked and nonprinted_marked parameters in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Posturinn
CVE-2024-11815
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-11686 - Manycontacts Bar Plugin
The WhatsApp 🚀 click to chat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'manycontacts_code' parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Manycontacts Bar
CVE-2024-11686
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-11328 - Cluevo Lms Plugin
The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.13.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cluevo Lms
CVE-2024-11328
Risk Score
Threat Entry
Updated 2025-03-03
CVE-2024-13153 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.135 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widget code isn't part of the code, to apply the patch, the affected widgets: Image Tooltip, Notification, Simple Popup, Video Play…
PLUGIN
Unlimited Elements For Elementor
CVE-2024-13153
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-12736 - Bu Section Editing Plugin
The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Bu Section Editing
CVE-2024-12736
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2024-12731 - Infeed Plugin
The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Infeed
CVE-2024-12731
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2024-12717 - Infeed Plugin
The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Infeed
CVE-2024-12717
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-12715 - Asgard Security Scanner Plugin
The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Asgard Security Scanner
CVE-2024-12715
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-12714 - Backlink Monitoring Manager Plugin
The Backlink Monitoring Manager WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Backlink Monitoring Manager
CVE-2024-12714
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10815 - Postlists Plugin
The PostLists WordPress plugin through 2.0.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Postlists
CVE-2024-10815
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-11423 - And Use Advance Coupons With Personalized Templates Plugin
The Ultimate Gift Cards for WooCommerce – Create WooCommerce Gift Cards, Gift Vouchers, Redeem & Manage Digital Gift Coupons. Offer Gift Certificates, Schedule Gift Cards, and Use Advance Coupons With Personalized Templates plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several REST API endpoints such as /wp-json/gifting/recharge-giftcard in all versions up to, and including, 3.0.6. This makes it possible for unauthenticated attackers to recharge a gift card balance, without making a payment along with reducing gift card balances without purchasing anything.
PLUGIN
And Use Advance Coupons With Personalized Templates
CVE-2024-11423
Risk Score