Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-14
CVE-2024-11894 - The Permalinker Plugin
The The Permalinker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'permalink' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Permalinker
CVE-2024-11894
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11889 - My Idx Home Search Plugin
The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-search' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
My Idx Home Search
CVE-2024-11889
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-12411 - Wp Ad Guru Plugin
The WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Ad Guru
CVE-2024-12411
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-12447 - Get Post Content Shortcode Plugin
The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts.
PLUGIN
Get Post Content Shortcode
CVE-2024-12447
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11888 - Ider Login Plugin
The IDer Login for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ider_login_button' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ider Login
CVE-2024-11888
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11884 - Wp Photo Text Slider 50 Plugin
The Wp photo text slider 50 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-photo-slider' shortcode in all versions up to, and including, 8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Photo Text Slider 50
CVE-2024-11884
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11883 - Connatix Video Embed Plugin
The Connatix Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cnx_script_code' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Connatix Video Embed
CVE-2024-11883
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11877 - Cricket Score Plugin
The Cricket Live Score plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cricket_score' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cricket Score
CVE-2024-11877
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11876 - Kredeum Nfts Plugin
The Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kredeum_opensky' shortcode in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Kredeum Nfts
CVE-2024-11876
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11873 - Glomex Oembed Plugin
The glomex oEmbed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glomex_integration' shortcode in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Glomex Oembed
CVE-2024-11873
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11869 - Buk Appointments Plugin
The Buk for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buk' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Buk Appointments
CVE-2024-11869
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11867 - Companion Portfolio Plugin
The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Companion Portfolio
CVE-2024-11867
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11865 - Tabs Maker Plugin
The Tabs Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on tab descriptions. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tabs Maker
CVE-2024-11865
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11855 - Koalendar Free Booking Widget Plugin
The Koalendar – Events & Appointments Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Koalendar Free Booking Widget
CVE-2024-11855
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11770 - Post Types Carousel Slider Plugin
The Post Carousel & Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-cs' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Types Carousel Slider
CVE-2024-11770
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11763 - Plezi Plugin
The Plezi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'plezi' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plezi
CVE-2024-11763
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11759 - Bukza Plugin
The Bukza plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bukza' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bukza
CVE-2024-11759
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11755 - Ims Countdown Plugin
The IMS Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown post settings in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ims Countdown
CVE-2024-11755
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11751 - Tcbd Popover Plugin
The TCBD Popover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd-popover-image ' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tcbd Popover
CVE-2024-11751
Risk Score
Threat Entry
Updated 2024-12-14
CVE-2024-11095 - Visualmodo Elements Plugin
The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Visualmodo Elements
CVE-2024-11095
Risk Score