Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-09
CVE-2024-10308 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Countdown widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jeg Elementor Kit
CVE-2024-10308
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11032 - Wp Parsidate Plugin
The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Parsidate
CVE-2024-11032
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-9170 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wcj_product_meta shortcode in all versions up to, and including, 7.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with ShopManager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booster For Woocommerce
CVE-2024-9170
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11192 - Spotify Play Button For Wordpress Plugin
The Spotify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spotifyplaybutton shortcode in all versions up to, and including, 2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spotify Play Button For Wordpress
CVE-2024-11192
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11119 - Bne Gallery Extended Plugin
The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bne Gallery Extended
CVE-2024-11119
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11091 - Support Svg Plugin
The Support SVG – Upload svg files in wordpress without hassle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Support Svg
CVE-2024-11091
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-9504 - Appointment Booking System Plugin
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Appointment Booking System
CVE-2024-9504
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11202 - Cm Business Directory Plugin
Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cm Business Directory
CVE-2024-11202
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10857 - Product Input Fields For Woocommerce Plugin
The Product Input Fields for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.9 via the handle_downloads() function due to insufficient file path validation/sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Product Input Fields For Woocommerce
CVE-2024-10857
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-11002 - The Inpost Gallery Plugin
The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
The Inpost Gallery
CVE-2024-11002
Risk Score
Threat Entry
Updated 2025-07-12
CVE-2024-10781 - Spam Protection Antispam Firewall Plugin
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an missing empty value check on the 'api_key' value in the 'perform' function in all versions up to, and including, 6.44. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PLUGIN
Spam Protection Antispam Firewall
CVE-2024-10781
Risk Score
Threat Entry
Updated 2025-07-12
CVE-2024-10542 - Anti Spam Plugin
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PLUGIN
Anti Spam
CVE-2024-10542
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10570 - Security Malware Firewall Plugin
The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized SQL Injection due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 2.145, as well as insufficient input sanitization and validation. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Security Malware Firewall
CVE-2024-10570
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10471 - Everest Forms Plugin
The Everest Forms WordPress plugin before 3.0.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Everest Forms
CVE-2024-10471
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11418 - Additional Order Filters For Woocommerce Plugin
The Additional Order Filters for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shipping_method_filter' parameter in all versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Additional Order Filters For Woocommerce
CVE-2024-11418
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11342 - Skt Nurcaptcha Plugin
The Skt NURCaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing or incorrect nonce validation in the skt-nurc-admin.php file. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Skt Nurcaptcha
CVE-2024-11342
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10729 - Appointment Plugin For Woocommerce
The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_calendar_data' function in versions up to, and including, 6.9.0. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily.
PLUGIN
Appointment Plugin For Woocommerce
CVE-2024-10729
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-7056 - Before 1 Plugin
The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-7056
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-6393 - Proofing And Plugin
The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.5 does not sanitise and escape some of its Images settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Proofing And
CVE-2024-6393
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-10710 - Yadisk Files Plugin
The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Yadisk Files
CVE-2024-10710
Risk Score