Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-26
CVE-2024-11354 - Ultimate Youtube Video Shorts Player With Vimeo Plugin
The Ultimate YouTube Video & Shorts Player With Vimeo plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the del_ytsingvid() function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete single playlists.
PLUGIN
Ultimate Youtube Video Shorts Player With Vimeo
CVE-2024-11354
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11334 - My Contador Lesr Plugin
The My Contador lesr plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportar_registros() function in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to export user data.
PLUGIN
My Contador Lesr
CVE-2024-11334
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11197 - Lock User Account Plugin
The Lock User Account plugin for WordPress is vulnerable to user lock bypass in all versions up to, and including, 1.0.5. This is due to permitting application password logins when user accounts are locked. This makes it possible for authenticated attackers, with existing application passwords, to interact with the vulnerable site via an API such as XML-RPC or REST despite their account being locked.
PLUGIN
Lock User Account
CVE-2024-11197
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10898 - Contact Form 7 Email Add On Plugin
The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php files can be uploaded and included.
PLUGIN
Contact Form 7 Email Add On
CVE-2024-10898
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10890 - Classifieds Plugin
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Classifieds
CVE-2024-10890
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10788 - Activity Log Plugin
The Activity Log – Monitor & Record User Changes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event parameters in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
PLUGIN
Activity Log
CVE-2024-10788
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-10785 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Countdown' widget in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-10785
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10792 - Woocommerce By Wpfunnels Plugin
The Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This was partially patched in 3.5.4 and fully patched in 3.5.5.
PLUGIN
Woocommerce By Wpfunnels
CVE-2024-10792
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10796 - If So Dynamic Content Personalization Plugin
The If-So Dynamic Content Personalization plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.2.1 via the 'ifso-show-post' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.
PLUGIN
If So Dynamic Content Personalization
CVE-2024-10796
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10726 - Friendly Functions For Welcart Plugin
The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Friendly Functions For Welcart
CVE-2024-10726
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10782 - Theme Builder For Elementor Plugin
The Theme Builder For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to.
PLUGIN
Theme Builder For Elementor
CVE-2024-10782
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10696 - Ultraaddons Elementor Lite Plugin
The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.8 via the show_template due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to expose the contents of draft, private, and pending posts.
PLUGIN
Ultraaddons Elementor Lite
CVE-2024-10696
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10682 - Bulletin Announcements Plugin
The Announcement & Notification Banner – Bulletin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg and remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.11.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bulletin Announcements
CVE-2024-10682
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10675 - Affiliate Toolkit Plugin
The affiliate-toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 3.6.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Affiliate Toolkit
CVE-2024-10675
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10671 - Button Block Plugin
The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.4 via the [btn_block] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Button Block
CVE-2024-10671
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10623 - Forumengine Theme
The ForumEngine theme for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
Forumengine
CVE-2024-10623
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10532 - Bard Extra Plugin
The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtra_import_xml() function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to import demo data.
PLUGIN
Bard Extra
CVE-2024-10532
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10528 - Ultimate Member Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to unauthorized profile picture updates due to a missing capability check on the wp_ajax_um_resize_image() and ajax_resize_image() functions in all versions up to, and including, 2.8.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the profile pictures of other users.
PLUGIN
Ultimate Member
CVE-2024-10528
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10522 - Co Marquage Service Public Plugin
The Co-marquage service-public.fr plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.5.76. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Co Marquage Service Public
CVE-2024-10522
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-10400 - Tutor Lms Plugin
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor Lms
CVE-2024-10400
Risk Score