Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-20
CVE-2024-12509 - Embed Twine Plugin
The Embed Twine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embed_twine' shortcode in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embed Twine
CVE-2024-12509
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-9619 - Wp Shapes Plugin
The WP SHAPES plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wp Shapes
CVE-2024-9619
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-9503 - Maintenance Coming Soon Redirect Animation Plugin
The Maintenance & Coming Soon Redirect Animation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wploti_add_whitelisted_roles_option', 'wploti_remove_whitelisted_roles_option', 'wploti_add_whitelisted_users_option', 'wploti_remove_whitelisted_users_option', and 'wploti_uploaded_animation_save_option' functions in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify certain plugin settings.
PLUGIN
Maintenance Coming Soon Redirect Animation
CVE-2024-9503
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-12506 - Nacc Plugin
The NACC WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nacc
CVE-2024-12506
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11893 - Chat Buttons And Woocommerce Notifications Plugin
The Spoki – Chat Buttons and WooCommerce Notifications plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spoki_button' shortcode in all versions up to, and including, 2.15.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chat Buttons And Woocommerce Notifications
CVE-2024-11893
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11878 - Category Post Slider Plugin
The Category Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'category-post-slider' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Category Post Slider
CVE-2024-11878
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11784 - Ticketsource Events Plugin
The Sell Tickets Online – TicketSource Ticket Shop for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticketshop' shortcode in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ticketsource Events
CVE-2024-11784
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11812 - Wtyczka Seopilot Dla Wp Plugin
The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the SeoPilot_Admin_Options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wtyczka Seopilot Dla Wp
CVE-2024-11812
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11806 - Pkt1 Centro De Envios Plugin
The PKT1 Centro de envios plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'success' and 'error' parameters in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pkt1 Centro De Envios
CVE-2024-11806
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11783 - Finance Calculator With Application Form Plugin
The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'finance_calculator' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Finance Calculator With Application Form
CVE-2024-11783
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11775 - Particle Background Plugin
The Particle Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'particleground' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Particle Background
CVE-2024-11775
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11774 - Outdooractive Embed Plugin
The Outdooractive Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list2go' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Outdooractive Embed
CVE-2024-11774
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11411 - Spotlightr Plugin
The Spotlightr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotlightr-v' shortcode in all versions up to, and including, 0.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spotlightr
CVE-2024-11411
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11331 - Isee Products Extractor Plugin
The استخراج محصولات ووکامرس برای آیسی plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Isee Products Extractor
CVE-2024-11331
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-11297 - Page Restriction Plugin
The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.6 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
PLUGIN
Page Restriction
CVE-2024-11297
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-8968 - Wordpress Button Plugin Maxbuttons
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wordpress Button Plugin Maxbuttons
CVE-2024-8968
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-11108 - Serious Slider Plugin
The Serious Slider WordPress plugin before 1.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Serious Slider
CVE-2024-11108
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2024-10706 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.03 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Download Manager
CVE-2024-10706
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-10555 - Wordpress Button Plugin Maxbuttons
The WordPress Button Plugin MaxButtons WordPress plugin before 9.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wordpress Button Plugin Maxbuttons
CVE-2024-10555
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-11776 - Pcrecruiter Extensions Plugin
The PCRecruiter Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PCRecruiter' shortcode in all versions up to, and including, 1.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pcrecruiter Extensions
CVE-2024-11776
Risk Score