Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-03
CVE-2024-11866 - Bmlt Tabbed Map Plugin
The BMLT Tabbed Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bmlt_tabbed_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bmlt Tabbed Map
CVE-2024-11866
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11844 - Ideapush Plugin
The IdeaPush plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the idea_push_taxonomy_save_routine function in all versions up to, and including, 8.71. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete terms for the "boards" taxonomy.
PLUGIN
Ideapush
CVE-2024-11844
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-11732 - Bp Profile Shortcodes Extra Plugin
The BP Profile Shortcodes Extra plugin for WordPress is vulnerable to time-based SQL Injection via the ‘tab’ parameter in all versions up to, and including, 2.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Bp Profile Shortcodes Extra
CVE-2024-11732
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11898 - Scratch Win Plugin
The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swin-campaign' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Scratch Win
CVE-2024-11898
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-11853 - Jalbum Bridge Plugin
The jAlbum Bridge plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ar’ parameter in all versions up to, and including, 2.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jalbum Bridge
CVE-2024-11853
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-11805 - Woocommerce Plugin
The Quick License Manager – WooCommerce Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'submit_qlm_products' parameter in all versions up to, and including, 2.4.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce
CVE-2024-11805
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-11707 - My Auctions Allegro Plugin
The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
My Auctions Allegro
CVE-2024-11707
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-11461 - Form Data Collector Plugin
The Form Data Collector plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Form Data Collector
CVE-2024-11461
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-11453 - Gs Pinterest Portfolio Plugin
The WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_pin_widget' shortcode in all versions up to, and including, 1.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gs Pinterest Portfolio
CVE-2024-11453
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9058 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Lightbox widget in all versions up to, and including, 5.10.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-9058
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-10893 - Wp Booking Calendar Plugin
The WP Booking Calendar WordPress plugin before 10.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wp Booking Calendar
CVE-2024-10893
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-10484 - Spectra Plugin
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Team' widget in all versions up to, and including, 2.16.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra
CVE-2024-10484
Risk Score
Threat Entry
Updated 2024-12-03
CVE-2024-9694 - Cmsmasters Elementor Addon Plugin
The CMSMasters Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.14.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cmsmasters Elementor Addon
CVE-2024-9694
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-52478 - Jobify Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Marshall Jobify - Job Board WordPress Theme allows Stored XSS.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
PLUGIN
Jobify
CVE-2024-52478
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-52479 - Jobify Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Ben Marshall Jobify - Job Board WordPress Theme allows Cross Site Request Forgery.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
PLUGIN
Jobify
CVE-2024-52479
Risk Score
Threat Entry
Updated 2024-12-02
CVE-2024-52461 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kinsta WordPress Hosting Infinite Slider allows Reflected XSS.This issue affects Infinite Slider: from n/a through 2.0.1.
CORE
WordPress Core
CVE-2024-52461
Risk Score
Threat Entry
Updated 2024-12-02
CVE-2024-12015 - WordPress Core
The 'Project Manager' WordPress Plugin is affected by an authenticated SQL injection vulnerability in the 'orderby' parameter in the '/pm/v2/activites' route.
CORE
WordPress Core
CVE-2024-12015
Risk Score
Threat Entry
Updated 2024-11-30
CVE-2024-53788 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Portfoliohub WordPress Portfolio Builder – Portfolio Gallery allows Stored XSS.This issue affects WordPress Portfolio Builder – Portfolio Gallery: from n/a through 1.1.7.
CORE
WordPress Core
CVE-2024-53788
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-11252 - Sassy Social Share Plugin
The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.69 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Sassy Social Share
CVE-2024-11252
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-10980 - Before 5 Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its Cookie Consent block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 5
CVE-2024-10980
Risk Score