Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-14
CVE-2024-10102 - Slider In Rbs Image Gallery Plugin
The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Slider In Rbs Image Gallery
CVE-2024-10102
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-9208 - Enable Accessibility Plugin
The Enable Accessibility plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Enable Accessibility
CVE-2024-9208
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12470 - Sakolawp Lite Plugin
The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This makes it possible for unauthenticated attackers to register as an administrative user.
PLUGIN
Sakolawp Lite
CVE-2024-12470
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12462 - Yogo Booking Plugin
The YOGO Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'yogo-calendar' shortcode in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yogo Booking
CVE-2024-12462
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12457 - Chat Viber Plugin
The Chat Support for Viber – Chat Bubble and Chat Button for Gutenberg, Elementor and Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vchat' shortcode in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chat Viber
CVE-2024-12457
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12453 - Uptodown Apk Download Widget Plugin
The Uptodown APK Download Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'utd-widget' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Uptodown Apk Download Widget
CVE-2024-12453
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12445 - Rightmessage Plugin
The RightMessage WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rm_area' shortcode in all versions up to, and including, 0.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rightmessage
CVE-2024-12445
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12322 - Theperfectweddingnl Widget Plugin
The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Theperfectweddingnl Widget
CVE-2024-12322
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-12332 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Student/Parent-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpschoolpress
CVE-2024-12332
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12435 - Woocommerce Compare Products Plugin
The Compare Products for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s_feature’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce Compare Products
CVE-2024-12435
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12324 - Unilevel Mlm Plan Plugin
The Unilevel MLM Plan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Unilevel Mlm Plan
CVE-2024-12324
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12327 - Lazyload Background Images Plugin
The LazyLoad Background Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pblzbg_save_settings() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.
PLUGIN
Lazyload Background Images
CVE-2024-12327
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12264 - Payu India Plugin
The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.
PLUGIN
Payu India
CVE-2024-12264
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12313 - Woocommerce Compare Products Plugin
The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Woocommerce Compare Products
CVE-2024-12313
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12291 - Viewmedica Plugin
The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Viewmedica
CVE-2024-12291
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-12290 - Infility Global Plugin
The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘set_type’ parameter in all versions up to, and including, 2.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Infility Global
CVE-2024-12290
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12288 - Simple Add Pages Or Posts Plugin
The Simple add pages or posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Add Pages Or Posts
CVE-2024-12288
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12252 - Seo Beginner Auto Post Plugin
The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.
PLUGIN
Seo Beginner Auto Post
CVE-2024-12252
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12256 - Simple Video Management System Plugin
The Simple Video Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'analytics_video' parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Video Management System
CVE-2024-12256
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-12214 - Woocommerce Hss Extension For Streaming Video Plugin
The WooCommerce HSS Extension for Streaming Video plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘videolink’ parameter in all versions up to, and including, 3.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce Hss Extension For Streaming Video
CVE-2024-12214
Risk Score