Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-13
CVE-2024-8985 - Social Proof Testimonials Slider Plugin
The Social Proof (Testimonial) Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spslider-block shortcode in all versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Social Proof Testimonials Slider
CVE-2024-8985
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-8874 - Ajax Login And Registration Modal Popup Plugin
The AJAX Login and Registration modal popup + inline form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.24. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Ajax Login And Registration Modal Popup
CVE-2024-8874
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10887 - Nicejob Plugin
The NiceJob plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes (nicejob-lead, nicejob-review, nicejob-engage, nicejob-badge, nicejob-stories) in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nicejob
CVE-2024-10887
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10851 - Razorpay Payment Button Plugin
The Razorpay Payment Button Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Razorpay Payment Button
CVE-2024-10851
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10854 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buy_one_click_import_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import plugin settings.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10854
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10853 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the removeorder AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete Buy one click WooCommerce orders.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10853
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10852 - Buy One Click Woocommerce Plugin
The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the buy_one_click_export_options AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export plugin settings.
PLUGIN
Buy One Click Woocommerce
CVE-2024-10852
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10629 - Gpx Viewer Plugin
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Gpx Viewer
CVE-2024-10629
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2024-10717 - Styler For Ninja Forms Plugin
The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be…
PLUGIN
Styler For Ninja Forms
CVE-2024-10717
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-10850 - Razorpay Payment Button Plugin
The Razorpay Payment Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Razorpay Payment Button
CVE-2024-10850
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-10778 - Buddybuilder Plugin
The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts crated by Elementor that they should not have access to.
PLUGIN
Buddybuilder
CVE-2024-10778
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-10577 - Fat Rat Collect Plugin
The 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing escaping on a URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Fat Rat Collect
CVE-2024-10577
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-10038 - Wp Strava Plugin
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp Strava
CVE-2024-10038
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10245 - Relais 2fa Plugin
The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. This is due to incorrect authentication and capability checking in the 'rl_do_ajax' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Relais 2fa
CVE-2024-10245
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10323 - Jetwidgets For Elementor Plugin
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Jetwidgets For Elementor
CVE-2024-10323
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10179 - Slick Engagement Plugin
The Slickstream: Engagement and Conversions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slick-grid shortcode in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slick Engagement
CVE-2024-10179
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-9357 - Xili Tidy Tags Plugin
The xili-tidy-tags plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.12.04 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xili Tidy Tags
CVE-2024-9357
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9836 - Rss Feed Widget Plugin
The RSS Feed Widget WordPress plugin before 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Rss Feed Widget
CVE-2024-9836
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9835 - Rss Feed Widget Plugin
The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Rss Feed Widget
CVE-2024-9835
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10790 - Admin Site Enhancements Plugin
The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This feature must be enabled, and for specific roles in order to be exploitable.
PLUGIN
Admin Site Enhancements
CVE-2024-10790
Risk Score