Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-14
CVE-2024-8855 - Wordpress Auction Plugin
The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing editors and above to perform SQL injection attacks
PLUGIN
Wordpress Auction
CVE-2024-8855
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12471 - Post Saint Plugin
The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress is vulnerable to arbitrary files uploads due to a missing capability check and file type validation on the add_image_to_library AJAX action function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.
PLUGIN
Post Saint
CVE-2024-12471
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12535 - Host Php Info Plugin
The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.
PLUGIN
Host Php Info
CVE-2024-12535
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12849 - Error Log Viewer Wp Plugin
The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Error Log Viewer Wp
CVE-2024-12849
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12633 - More Plugin
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
More
CVE-2024-12633
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12464 - Chatroll Live Chat Plugin
The Chatroll Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'chatroll' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chatroll Live Chat
CVE-2024-12464
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12440 - Candifly Plugin
The Candifly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'candifly' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Candifly
CVE-2024-12440
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12439 - Marketplace Items Plugin
The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Marketplace Items
CVE-2024-12439
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12438 - Woocommerce Digital Content Delivery With Drm Flickrocket Plugin
The WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'start_date’ and 'end_date' parameters in all versions up to, and including, 4.74 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce Digital Content Delivery With Drm Flickrocket
CVE-2024-12438
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-12073 - Meteor Slides Plugin
The Meteor Slides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_url_value' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Meteor Slides
CVE-2024-12073
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-11887 - Geo Targetly Geo Content Plugin
The Geo Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'geotargetlygeocontent' shortcode in all versions up to, and including, 6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Geo Targetly Geo Content
CVE-2024-11887
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12384 - Woo Binary Mlm Plugin
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woo Binary Mlm
CVE-2024-12384
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12383 - Woo Binary Mlm Plugin
The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woo Binary Mlm
CVE-2024-12383
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12261 - Smartemailing Plugin
The SmartEmailing.cz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'se-lists-updated' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Smartemailing
CVE-2024-12261
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-11756 - Sweepwidget Plugin
The SweepWidget Contests, Giveaways, Photo Contests, Competitions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sweepwidget' shortcode in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sweepwidget
CVE-2024-11756
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-11749 - App Embed Plugin
The App Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appizy' shortcode in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
App Embed
CVE-2024-11749
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-11369 - Gift Cards For Woocommerce Plugin
The Store credit / Gift cards for woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'coupon', 'start_date', and 'end_date' parameters in all versions up to, and including, 1.0.49.46 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gift Cards For Woocommerce
CVE-2024-11369
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-11606 - Tabs Shortcode Plugin
The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Tabs Shortcode
CVE-2024-11606
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-10562 - Form Maker By 10web Plugin
The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Form Maker By 10web
CVE-2024-10562
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-10536 - Post Block Plugin
The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes.
PLUGIN
Post Block
CVE-2024-10536
Risk Score