Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-05
CVE-2024-12329 - Essential Real Estate Plugin
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs
PLUGIN
Essential Real Estate
CVE-2024-12329
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11727 - Floating Notification Top Bar Plugin
The NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content settings for notifications in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has…
PLUGIN
Floating Notification Top Bar
CVE-2024-11727
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-12201 - Hash Form Plugin
The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles.
PLUGIN
Hash Form
CVE-2024-12201
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-11724 - Wp Cookie Consent Plugin
The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.
PLUGIN
Wp Cookie Consent
CVE-2024-11724
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11181 - Greenshift Animation And Page Builder Blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Greenshift Animation And Page Builder Blocks
CVE-2024-11181
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-10784 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unlimited Elements For Elementor
CVE-2024-10784
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-10583 - Popup Maker Plugin
The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Popup Maker
CVE-2024-10583
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12265 - Web3 Crypto Payments By Depay For Woocommerce Plugin
The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attackers to retrieve debug infromation.
PLUGIN
Web3 Crypto Payments By Depay For Woocommerce
CVE-2024-12265
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-9881 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9881
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-9641 - Luckywp Table Of Contents Plugin
The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Luckywp Table Of Contents
CVE-2024-9641
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-9428 - Popup Builder Plugin
The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Popup Builder
CVE-2024-9428
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12172 - Education Courses Plugin
The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.
PLUGIN
Education Courses
CVE-2024-12172
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12072 - Google Analytics Made Easy Plugin
The Analytics Cat – Google Analytics Made Easy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.
PLUGIN
Google Analytics Made Easy
CVE-2024-12072
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2024-12255 - Accept Stripe Payments Using Contact Form 7 Plugin
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.
PLUGIN
Accept Stripe Payments Using Contact Form 7
CVE-2024-12255
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12263 - Child Theme Creator By Orbisius Plugin
The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cloud_delete() and cloud_update() functions in all versions up to, and including, 1.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete cloud snippets. Please note that this vulnerability was present in the Cloud Library Addon used by the plugin and not in the plugin itself, the cloud library has been removed entirely.
PLUGIN
Child Theme Creator By Orbisius
CVE-2024-12263
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-12059 - Elementinvader Addons For Elementor Plugin
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the eli_option_value shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract arbitrary options from the wp_options table.
PLUGIN
Elementinvader Addons For Elementor
CVE-2024-12059
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12040 - Grid Ultimate For Woocommerce Plugin
The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the `wcpcsu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Grid Ultimate For Woocommerce
CVE-2024-12040
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11882 - Create Frequently Asked Questions Area On Wp Sites Plugin
The FAQ And Answers – Create Frequently Asked Questions Area on WP Sites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'faq' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Create Frequently Asked Questions Area On Wp Sites
CVE-2024-11882
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11871 - Social Media Shortcodes Plugin
The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'patreon' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Social Media Shortcodes
CVE-2024-11871
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11785 - Integrate Firebase Plugin
The Integrate Firebase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'firebase_show' shortcode in all versions up to, and including, 0.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Integrate Firebase
CVE-2024-11785
Risk Score