Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-12
CVE-2024-12018 - Shortcode Variables Plugin
The Snippet Shortcodes plugin for WordPress is vulnerable to unauthorized Shortcode Deletion due to missing authorization in all versions up to, and including, 4.1.6. Note that a nonce is used as authentication here, but the value is leaked. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Shortcodes.
PLUGIN
Shortcode Variables
CVE-2024-12018
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11781 - Prise De Rendez Vous En Ligne Plugin
The Smart Agenda – Prise de rendez-vous en ligne plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartagenda' shortcode in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Prise De Rendez Vous En Ligne
CVE-2024-11781
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11766 - Gs Books Showcase Plugin
The WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_book_showcase' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gs Books Showcase
CVE-2024-11766
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11765 - Gs Portfolio Plugin
The WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_portfolio' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gs Portfolio
CVE-2024-11765
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11757 - Wp Geonames Plugin
The WP GeoNames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-geonames' shortcode in all versions up to, and including, 1.9.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Geonames
CVE-2024-11757
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-11359 - Library Bookshelves Plugin
The Library Bookshelves plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Library Bookshelves
CVE-2024-11359
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-10124 - Vayu Blocks Plugin
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.
PLUGIN
Vayu Blocks
CVE-2024-10124
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11052 - Ninja Forms Plugin
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ninja Forms
CVE-2024-11052
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10499 - Ai Engine Plugin
The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Ai Engine
CVE-2024-10499
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10637 - Gutenberg Blocks With Ai By Kadence Wp Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Gutenberg Blocks With Ai By Kadence Wp
CVE-2024-10637
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10518 - Restrict Content Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Restrict Content
CVE-2024-10518
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10517 - Restrict Content Plugin
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Restrict Content
CVE-2024-10517
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10568 - Ajax Search Lite Plugin
The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ajax Search Lite
CVE-2024-10568
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10010 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-10010
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-12463 - Arena Im Plugin
The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arena_embed_amp' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Arena Im
CVE-2024-12463
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-12526 - Arena Im Plugin
The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.0. This is due to missing or incorrect nonce validation on the 'albfre_user_action' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Arena Im
CVE-2024-12526
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12406 - Library Management System Plugin
The Library Management System – Manage e-Digital Books Library plugin for WordPress is vulnerable to SQL Injection via the 'owt7_borrow_books_id' parameter in all versions up to, and including, 3.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Library Management System
CVE-2024-12406
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12441 - Bp Email Assign Templates Plugin
The BP Email Assign Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bp Email Assign Templates
CVE-2024-12441
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12162 - Photo Gallery For Ultimate Member Plugin
The Video & Photo Gallery for Ultimate Member plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Photo Gallery For Ultimate Member
CVE-2024-12162
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2024-12156 - Seo Help Plugin
The AI Content Writer, RSS Feed to Post, Autoblogging SEO Help plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seo Help
CVE-2024-12156
Risk Score