Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-15
CVE-2024-10482 - Desc For Image Seo Plugin
The Media File Rename, Find Unused File, Add Alt text, Caption, Desc For Image SEO WordPress plugin before 1.5.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Desc For Image Seo
CVE-2024-10482
Risk Score
Threat Entry
Updated 2025-01-23
CVE-2024-10393 - Tutor Lms Plugin
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
PLUGIN
Tutor Lms
CVE-2024-10393
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10177 - Beds24 Online Booking Plugin
The Beds24 Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's beds24-link shortcode in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beds24 Online Booking
CVE-2024-10177
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-10172 - Wpbakery Visual Composer Whmcs Elements Plugin
The WPBakery Visual Composer WHMCS Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's void_wbwhmcse_laouts_search shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbakery Visual Composer Whmcs Elements
CVE-2024-10172
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10164 - Wpdm Premium Packages Plugin
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdmpp_pay_link shortcode in all versions up to, and including, 5.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpdm Premium Packages
CVE-2024-10164
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10316 - Elementor Widgets Plugin
The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.4 in includes/templates/content-switcher.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Elementor Widgets
CVE-2024-10316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10913 - Wp Clone By Wp Academy Plugin
The Clone plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.6 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Wp Clone By Wp Academy
CVE-2024-10913
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-11154 - Approve And Schedule Content Changes Plugin
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.15 via the 'actAjaxRevisionDiffs' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including revisions of posts and pages.
PLUGIN
Approve And Schedule Content Changes
CVE-2024-11154
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10520 - Wp Project Manager Plugin
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.
PLUGIN
Wp Project Manager
CVE-2024-10520
Risk Score
Threat Entry
Updated 2024-11-23
CVE-2024-10872 - Getwid Plugin
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template-post-custom-field` block in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Getwid
CVE-2024-10872
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-11179 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to SQL Injection via the 'status_type' parameter in all versions up to, and including, 4.15.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Mstore Api
CVE-2024-11179
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10891 - Save As Pdf Plugin
The Save as PDF Plugin by Pdfcrowd plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'save_as_pdf_pdfcrowd' shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Save As Pdf
CVE-2024-10891
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10665 - Yaad Sarig Payment Gateway For Wc Plugin
The Yaad Sarig Payment Gateway For WC plugin for WordPress is vulnerable to unauthorized modification & access of data due to a missing capability check on the yaadpay_view_log_callback() and yaadpay_delete_log_callback() functions in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete logs.
PLUGIN
Yaad Sarig Payment Gateway For Wc
CVE-2024-10665
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-9239 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Booster For Woocommerce
CVE-2024-9239
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-11277 - 404 Solution Plugin
The 404 Solution plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 2.35.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
404 Solution
CVE-2024-11277
Risk Score
Threat Entry
Updated 2024-11-29
CVE-2024-8726 - Mailchimp Forms Plugin
The MailChimp Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mailchimp Forms
CVE-2024-8726
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10899 - Woocommerce Product Table Plugin
The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well.
PLUGIN
Woocommerce Product Table
CVE-2024-10899
Risk Score
Threat Entry
Updated 2024-11-29
CVE-2024-10900 - Profilegrid Plugin
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_remove_file_attachment() function in all versions up to, and including, 5.9.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary user meta which can do things like deny an administrator's access to their site. .
PLUGIN
Profilegrid
CVE-2024-10900
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10855 - Sirv Plugin
The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the filename parameter of the sirv_upload_file_by_chunks() function and lack of in all versions up to, and including, 7.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to…
PLUGIN
Sirv
CVE-2024-10855
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10365 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.3 via the render function in modules/widgets/tp_carousel_anything.php, modules/widgets/tp_page_scroll.php, and other widgets. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Plus Addons For Elementor
CVE-2024-10365
Risk Score