Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-22
CVE-2024-12588 - Shortcodes And Extra Features For Phlox Theme
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Shortcodes And Extra Features For Phlox Theme
CVE-2024-12588
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2024-9545 - Shortcodes And Extra Features For Phlox Theme
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Shortcodes And Extra Features For Phlox Theme
CVE-2024-9545
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11808 - Pingmeter Uptime Monitoring Plugin
The Pingmeter Uptime Monitoring plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_wpnonce' parameter in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pingmeter Uptime Monitoring
CVE-2024-11808
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-10797 - Full Screen Menu For Elementor Plugin
The Full Screen Menu for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.7 via the Full Screen Menu Elementor Widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to.
PLUGIN
Full Screen Menu For Elementor
CVE-2024-10797
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-12771 - Ecommerce Product Catalog Plugin
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.43. This is due to missing or incorrect nonce validation on the 'customer_panel_password_reset' function. This makes it possible for unauthenticated attackers to reset the password of any administrator or customer account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ecommerce Product Catalog
CVE-2024-12771
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-12721 - Custom Product Tabs For Woocommerce Plugin
The Custom Product Tabs For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.4 via deserialization of untrusted input from the 'wb_custom_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…
PLUGIN
Custom Product Tabs For Woocommerce
CVE-2024-12721
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12635 - Wp Docs Plugin
The WP Docs plugin for WordPress is vulnerable to time-based SQL Injection via the 'dir_id' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability was partially patched in version 2.2.0.
PLUGIN
Wp Docs
CVE-2024-12635
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-12697 - Real Kit Plugin
The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Real Kit
CVE-2024-12697
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12262 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'step' parameter in all versions up to, and including, 5.8001 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Ebook Store
CVE-2024-12262
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-12066 - Smsa Shipping Official Plugin
The SMSA Shipping(official) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the smsa_delete_label() function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Smsa Shipping Official
CVE-2024-12066
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11938 - Woo One Click Upsell Funnel Plugin
The One Click Upsell Funnel for WooCommerce – Funnel Builder for WordPress, Create WooCommerce Upsell, Post-Purchase Upsell & Cross Sell Offers that Boost Sales & Increase Profits with Sales Funnel Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wps_wocuf_pro_yes shortcode in all versions up to, and including, 3.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user…
PLUGIN
Woo One Click Upsell Funnel
CVE-2024-11938
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11975 - Reactflow Session Replay Heatmap Plugin
The Reactflow Visitor Recording and Heatmaps plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.10. This is due to missing or incorrect nonce validation affecting the _wpnonce parameter. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Reactflow Session Replay Heatmap
CVE-2024-11975
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11682 - Gwebpro Store Locator Plugin
The G Web Pro Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gwebpro Store Locator
CVE-2024-11682
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-11287 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8001. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Ebook Store
CVE-2024-11287
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11196 - Multi Column Tag Map Plugin
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mctagmap shortcode in all versions up to, and including, 17.0.33 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Multi Column Tag Map
CVE-2024-11196
Risk Score
Threat Entry
Updated 2024-12-21
CVE-2024-11977 - Kk Star Ratings Plugin
The The kk Star Ratings – Rate Post & Collect User Feedbacks plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.4.10. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Kk Star Ratings
CVE-2024-11977
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11607 - Gtpayment Donations Plugin
The GTPayment Donations WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Gtpayment Donations
CVE-2024-11607
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-11349 - Adforest Plugin
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.
PLUGIN
Adforest
CVE-2024-11349
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11811 - Web Push Notifications Plugin
The Feedify – Web Push Notifications plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'platform', 'phone', 'email', and 'store_url' parameters. in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Web Push Notifications
CVE-2024-11811
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-12571 - Store Locator Plugin
The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Store Locator
CVE-2024-12571
Risk Score