Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-19
CVE-2024-8961 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nomore_items_text’ parameter in all versions up to, and including, 6.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-8961
Risk Score
Threat Entry
Updated 2024-11-20
CVE-2024-10825 - Hide My Wp Ghost Plugin
The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.
PLUGIN
Hide My Wp Ghost
CVE-2024-10825
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-10104 - Before 2 Plugin
The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2024-10104
Risk Score
Threat Entry
Updated 2024-11-20
CVE-2024-9356 - Yotpo Plugin
The Yotpo: Product & Photo Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'yotpo_user_email' and 'yotpo_user_name' parameters in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Yotpo
CVE-2024-9356
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10793 - Wp Activity Log Plugin
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.
PLUGIN
Wp Activity Log
CVE-2024-10793
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10582 - Music Player For Elementor Plugin
The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import templates.
PLUGIN
Music Player For Elementor
CVE-2024-10582
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10260 - Tripetto Plugin
The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the file.
PLUGIN
Tripetto
CVE-2024-10260
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10113 - Wp Adcenter Plugin
The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenter_ad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Adcenter
CVE-2024-10113
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-9609 - Learnpress Export Import Plugin
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Learnpress Export Import
CVE-2024-9609
Risk Score
Threat Entry
Updated 2024-11-20
CVE-2024-10897 - Tutor Lms Elementor Addons Plugin
The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install Elementor or Tutor LMS. Please note the impact of this issue is incredibly limited due to the fact that these two plugins will likely already be installed as a dependency of the plugin.
PLUGIN
Tutor Lms Elementor Addons
CVE-2024-10897
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-10924 - Really Simple Security Plugin
The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
PLUGIN
Really Simple Security
CVE-2024-10924
Risk Score
Threat Entry
Updated 2024-11-15
CVE-2024-52370 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support – WordPress Help Desk allows Upload a Web Shell to a Web Server.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.1.
CORE
WordPress Core
CVE-2024-52370
Risk Score
Threat Entry
Updated 2024-11-15
CVE-2024-52376 - Stricted Upload Of File With Dangerous Type Vulnerability In Cmsminds Boat Rental Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress allows Upload a Web Shell to a Web Server.This issue affects Boat Rental Plugin for WordPress: from n/a through 1.0.1.
PLUGIN
Stricted Upload Of File With Dangerous Type Vulnerability In Cmsminds Boat Rental
CVE-2024-52376
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-10962 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator…
PLUGIN
Migration Backup Staging
CVE-2024-10962
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-10571 - Chartify Plugin
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Chartify
CVE-2024-10571
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9186 - Marketing Automation By Funnelkit Plugin
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
PLUGIN
Marketing Automation By Funnelkit
CVE-2024-9186
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-10146 - Simple File List Plugin
The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.
PLUGIN
Simple File List
CVE-2024-10146
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-11028 - Multimanager Wp Plugin
The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the user impersonation feature inappropriately determining the current user via user-supplied input. This makes it possible for unauthenticated attackers to generate an impersonation link that will allow them to log in as any existing user, such as an administrator. NOTE: The user impersonation feature was disabled in version 1.1.0 and re-enabled with a patch in version 1.1.2.
PLUGIN
Multimanager Wp
CVE-2024-11028
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-9682 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-9682
Risk Score
Threat Entry
Updated 2024-11-19
CVE-2024-9668 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-9668
Risk Score