Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-18
CVE-2024-8873 - Pepro Bacs Receipt Upload For Woocommerce Plugin
The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pepro Bacs Receipt Upload For Woocommerce
CVE-2024-8873
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-11118 - 404 Error Monitor Plugin
The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings() function. This makes it possible for unauthenticated attackers to make changes to plugin settings and clear up all the error logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
404 Error Monitor
CVE-2024-11118
Risk Score
Threat Entry
Updated 2025-03-31
CVE-2024-6628 - Eleforms Plugin
The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.9.9. This is due to missing or incorrect nonce validation when deleting form submissions. This makes it possible for unauthenticated attackers to delete form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Eleforms
CVE-2024-6628
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-11092 - Svgplus Plugin
The SVGPlus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Svgplus
CVE-2024-11092
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10884 - Simpleform Contact Form Submissions Plugin
The SimpleForm Contact Form Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simpleform Contact Form Submissions
CVE-2024-10884
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10883 - Contact Form Made Simple Plugin
The SimpleForm – Contact form made simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form Made Simple
CVE-2024-10883
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10875 - Fancy Gallery Plugin
The Gallery Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_Query_Arg without appropriate escaping on the URL in all versions up to, and including, 1.6.58. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Fancy Gallery
CVE-2024-10875
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-11085 - Wp Log Viewer Plugin
The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings.
PLUGIN
Wp Log Viewer
CVE-2024-11085
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10147 - Steel Plugin
The Steel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Steel
CVE-2024-10147
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10017 - Pjw Mime Config Plugin
The PJW Mime Config plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Pjw Mime Config
CVE-2024-10017
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10262 - The Drop Shadow Boxes Plugin
The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
The Drop Shadow Boxes
CVE-2024-10262
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10533 - Wp Chat App Plugin
The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin.
PLUGIN
Wp Chat App
CVE-2024-10533
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10015 - Convertcalculator Plugin
The ConvertCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'type' parameters in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Convertcalculator
CVE-2024-10015
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10861 - Ays Popup Box Plugin
The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.
PLUGIN
Ays Popup Box
CVE-2024-10861
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10795 - Popularis Extra Plugin
The Popularis Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.7 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.
PLUGIN
Popularis Extra
CVE-2024-10795
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-10786 - Simple Local Avatars Plugin
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.
PLUGIN
Simple Local Avatars
CVE-2024-10786
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-8979 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_lostpassword_user_email_controls' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including usernames and passwords of any user, including Administrators, as long as that user opens the email notification for a password change request and images are not blocked by the email client.
PLUGIN
Essential Addons For Elementor
CVE-2024-8979
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-8978 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration.
PLUGIN
Essential Addons For Elementor
CVE-2024-8978
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10311 - External Database Based Actions Plugin
The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edba_admin_handle' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to update the plugin settings and log in as any existing user on the site, such as an administrator.
PLUGIN
External Database Based Actions
CVE-2024-10311
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-9529 - Advanced Custom Fields Pro Plugin
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.
PLUGIN
Advanced Custom Fields Pro
CVE-2024-9529
Risk Score