Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-14
CVE-2024-10685 - Contact Form 7 Redirect Thank You Page Plugin
The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form 7 Redirect Thank You Page
CVE-2024-10685
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10695 - Futurio Extra Plugin
The Futurio Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.0.13 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts that they should not have access to.
PLUGIN
Futurio Extra
CVE-2024-10695
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10672 - Multiple Page Generator Plugin
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.
PLUGIN
Multiple Page Generator
CVE-2024-10672
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10538 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-10538
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10958 - The Wp Photo Album Plus Plugin
The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Wp Photo Album Plus
CVE-2024-10958
Risk Score
Threat Entry
Updated 2024-11-14
CVE-2024-10265 - Form Maker Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.15.30. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Form Maker
CVE-2024-10265
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-51702 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Benjamin Moody, Eric Holmes SrcSet Responsive Images for WordPress allows Reflected XSS.This issue affects SrcSet Responsive Images for WordPress: from n/a through 1.4.
CORE
WordPress Core
CVE-2024-51702
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10837 - Customize My Account For Woocommerce Plugin
The SysBasics Customize My Account for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in all versions up to, and including, 2.7.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Customize My Account For Woocommerce
CVE-2024-10837
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10640 - Currency Switcher Professional For Woocommerce Plugin
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Currency Switcher Professional For Woocommerce
CVE-2024-10640
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-51708 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Narnoo Wordpress developer Narnoo Commerce Manager allows Reflected XSS.This issue affects Narnoo Commerce Manager: from n/a through 1.6.0.
CORE
WordPress Core
CVE-2024-51708
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-10352 - Magical Addons For Elementor Plugin
The Magical Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the get_content_type function in includes/widgets/content-reveal.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Magical Addons For Elementor
CVE-2024-10352
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-10261 - Membership Content Restriction Paid Member Subscriptions Plugin
The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Membership Content Restriction Paid Member Subscriptions
CVE-2024-10261
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10871 - Category Ajax Filter Plugin
The Category Ajax Filter plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.2 via the 'params[caf-post-layout]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files with a .php extension can be uploaded and included.
PLUGIN
Category Ajax Filter
CVE-2024-10871
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10801 - Wordpress User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_manage_file_chunk_upload() function in all versions up to, and including, 16.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. User registration must be enabled for this to be exploited.
PLUGIN
Wordpress User Extra Fields
CVE-2024-10801
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10589 - Leopard Wordpress Offload Media Plugin
The Leopard - WordPress Offload Media plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the import_settings() function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Leopard Wordpress Offload Media
CVE-2024-10589
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10547 - Wp Membership Plugin
The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wp Membership
CVE-2024-10547
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-10508 - Registrationmagic Plugin
The RegistrationMagic – User Registration Plugin with Custom Registration Forms plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0.2.6. This is due to the plugin not properly validating the password reset token prior to updating a user's password. This makes it possible for unauthenticated attackers to reset the password of arbitrary users, including administrators, and gain access to these accounts.
PLUGIN
Registrationmagic
CVE-2024-10508
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-9874 - Poll Maker Plugin
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 5.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Poll Maker
CVE-2024-9874
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10876 - Charitable Plugin
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.8.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Charitable
CVE-2024-10876
Risk Score
Threat Entry
Updated 2024-11-12
CVE-2024-10688 - Attesa Extra Plugin
The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Attesa Extra
CVE-2024-10688
Risk Score