Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-05
CVE-2024-11204 - Forumwp Plugin
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Forumwp
CVE-2024-11204
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10879 - Forumwp Plugin
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Forumwp
CVE-2024-10879
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11292 - Wp Private Content Plus Plugin
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.1 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
PLUGIN
Wp Private Content Plus
CVE-2024-11292
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10692 - Elementor Plugin
The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 via the Content Reveal widget due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Elementor
CVE-2024-10692
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10689 - Accordions And Tabs For Elementor Page Builder Plugin
The XLTab – Accordions and Tabs for Elementor Page Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4 via the 'XLTAB_INSERT_TPL' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
PLUGIN
Accordions And Tabs For Elementor Page Builder
CVE-2024-10689
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10320 - Cookielay Plugin
The Cookielay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookielay shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cookielay
CVE-2024-10320
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11178 - Otp Login Plugin
The Login With OTP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.4.2. This is due to the plugin generating too weak OTP, and there’s no attempt or time limit. This makes it possible for unauthenticated attackers to generate and brute force the 6-digit numeric OTP that makes it possible to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Otp Login
CVE-2024-11178
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10578 - Pubnews Theme
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities.
THEME
Pubnews
CVE-2024-10578
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11585 - Wp Hide Security Enhancer Plugin
The WP Hide & Security Enhancer plugin for WordPress is vulnerable to arbitrary file contents deletion due to a missing authorization and insufficient file path validation in the file-process.php in all versions up to, and including, 2.5.1. This makes it possible for unauthenticated attackers to delete the contents of arbitrary files on the server, which can break the site or lead to data loss.
PLUGIN
Wp Hide Security Enhancer
CVE-2024-11585
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11201 - And Woocommerce Credits For Gamification Plugin
The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_send shortcode in all versions up to, and including, 2.7.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
And Woocommerce Credits For Gamification
CVE-2024-11201
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10551 - Sticky Social Icons Plugin
The Sticky Social Icons WordPress plugin through 1.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Sticky Social Icons
CVE-2024-10551
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10480 - 3dprint Lite Plugin
The 3DPrint Lite WordPress plugin before 2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
3dprint Lite
CVE-2024-10480
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-11379 - Threewp Broadcast Plugin
The Broadcast plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'do_check' parameter in all versions up to, and including, 51.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This only affects multi-site installations.
PLUGIN
Threewp Broadcast
CVE-2024-11379
Risk Score
Threat Entry
Updated 2024-12-06
CVE-2024-10836 - Flixita Theme
The Flixita theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.82 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
Flixita
CVE-2024-10836
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-9769 - Video Gallery Plugin
The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Video Gallery
CVE-2024-9769
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10247 - Video Gallery Plugin
The Video Gallery – Best WordPress YouTube Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Video Gallery
CVE-2024-10247
Risk Score
Threat Entry
Updated 2024-12-05
CVE-2024-11779 - Wip Woocarousel Lite Plugin
The WIP WooCarousel Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wip_woocarousel_products_carousel' shortcode in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wip Woocarousel Lite
CVE-2024-11779
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-11420 - Blocksy Plugin
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Info Block link parameter in all versions up to, and including, 2.0.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blocksy
CVE-2024-11420
Risk Score
Threat Entry
Updated 2024-12-05
CVE-2024-10848 - Newsmunch Theme
The NewsMunch theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Newsmunch
CVE-2024-10848
Risk Score
Threat Entry
Updated 2024-12-05
CVE-2024-11324 - Accounting For Woocommerce Plugin
The Accounting for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Accounting For Woocommerce
CVE-2024-11324
Risk Score