Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-07
CVE-2024-10704 - Photo Gallery By 10web Plugin
The Photo Gallery by 10Web WordPress plugin before 1.8.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Photo Gallery By 10web
CVE-2024-10704
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2024-7747 - Terawallet Plugin
The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create funds during a transfer and distribute these funds to any number of other users or their own account, rendering products free. Attackers could also request to withdraw funds if the Wallet Withdrawal extension is used and the request is…
PLUGIN
Terawallet
CVE-2024-7747
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-52481 - Jobify Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Astoundify Jobify - Job Board WordPress Theme allows Relative Path Traversal.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
PLUGIN
Jobify
CVE-2024-52481
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-8672 - Widget Options Plugin
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of…
PLUGIN
Widget Options
CVE-2024-8672
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11103 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Contest Gallery
CVE-2024-11103
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11082 - Tumult Hype Animations Plugin
The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Tumult Hype Animations
CVE-2024-11082
Risk Score
Threat Entry
Updated 2025-03-04
CVE-2024-10798 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.
PLUGIN
Royal Elementor Addons
CVE-2024-10798
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-10780 - Restaurant Cafe Addon For Elementor Plugin
The Restaurant & Cafe Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.9 via the 'narestaurant_elementor_template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
PLUGIN
Restaurant Cafe Addon For Elementor
CVE-2024-10780
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-10670 - Primary Addon For Elementor Plugin
The Primary Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.2 via the [prim_elementor_template] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created with Elementor that they should not have access to.
PLUGIN
Primary Addon For Elementor
CVE-2024-10670
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2024-8066 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Filester
CVE-2024-8066
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-9669 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to Local JavaScript File Inclusion in all versions up to, and including, 1.8.5 via the 'fm_locale' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The vulnerability was…
PLUGIN
Filester
CVE-2024-9669
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11788 - Streamweasels Youtube Integration Plugin
The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sw-youtube-embed' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Streamweasels Youtube Integration
CVE-2024-11788
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11786 - Login With Vipps Plugin
The Login with Vipps and MobilePay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'continue-with-vipps' shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Login With Vipps
CVE-2024-11786
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11761 - Legalweb Cloud Plugin
The LegalWeb Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'legalweb-popup' shortcode in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Legalweb Cloud
CVE-2024-11761
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11431 - Ragic Shortcode Plugin
The Ragic Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ragic' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ragic Shortcode
CVE-2024-11431
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11333 - Hls Player Plugin
The HLS Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hls_player' shortcode in all versions up to, and including, 1.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hls Player
CVE-2024-11333
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-11203 - Embedpress Plugin
The EmbedPress – Embed PDF, 3D Flipbook, Social Feeds, Google Docs, Vimeo, Wistia, YouTube Videos, Audios, Google Maps in Gutenberg Block & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘provider_name parameter in all versions up to, and including, 4.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedpress
CVE-2024-11203
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2024-11685 - Kudos Donations Plugin
The `Kudos Donations – Easy donations and payments with Mollie` plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of `add_query_arg` without appropriate escaping on the URL in all versions up to, and including, 3.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.
PLUGIN
Kudos Donations
CVE-2024-11685
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2024-11684 - Kudos Donations Plugin
The Kudos Donations – Easy donations and payments with Mollie plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.2.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Kudos Donations
CVE-2024-11684
Risk Score
Threat Entry
Updated 2024-11-28
CVE-2024-11458 - Faq Builder Ays Plugin
The FAQ Builder AYS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ays_faq_tab' parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Faq Builder Ays
CVE-2024-11458
Risk Score