Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-08
CVE-2024-9667 - Seriously Simple Podcasting Plugin
The Seriously Simple Podcasting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.5.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seriously Simple Podcasting
CVE-2024-9667
Risk Score
Threat Entry
Updated 2024-11-07
CVE-2024-10711 - Woocommerce Report Plugin
The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Woocommerce Report
CVE-2024-10711
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2024-10114 - Woocommerce Social Login Plugin
The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Woocommerce Social Login
CVE-2024-10114
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-10097 - Loginizer Plugin
The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Loginizer
CVE-2024-10097
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9883 - Before 3 Plugin
The Pods WordPress plugin before 3.2.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-9883
Risk Score
Threat Entry
Updated 2024-12-20
CVE-2024-9689 - Post From Frontend Plugin
The Post From Frontend WordPress plugin through 1.0.0 does not have CSRF check when deleting posts, which could allow attackers to make logged in admin perform such action via a CSRF attack
PLUGIN
Post From Frontend
CVE-2024-9689
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-7877 - Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Notification settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Simply Schedule Appointments Booking
CVE-2024-7877
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-7876 - Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.55 does not sanitise and escape some of its Appointment Type settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Simply Schedule Appointments Booking
CVE-2024-7876
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-5578 - Table Of Contents Plus Plugin
The Table of Contents Plus WordPress plugin through 2408 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Table Of Contents Plus
CVE-2024-5578
Risk Score
Threat Entry
Updated 2024-11-05
CVE-2024-10340 - Shortcodes Blocks Creator Ultimate Plugin
The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'scu' shortcode in versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Blocks Creator Ultimate
CVE-2024-10340
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-51682 - Ht Builder Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HasThemes HT Builder – WordPress Theme Builder for Elementor allows Stored XSS.This issue affects HT Builder – WordPress Theme Builder for Elementor: from n/a through 1.3.0.
PLUGIN
Ht Builder
CVE-2024-51682
Risk Score
Threat Entry
Updated 2024-11-04
CVE-2024-9896 - Bbp Core Plugin
The BBP Core – Expand bbPress powered forums with useful features plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bbp Core
CVE-2024-9896
Risk Score
Threat Entry
Updated 2024-11-04
CVE-2024-10310 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Gallery Widget 'image_title' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-10310
Risk Score
Threat Entry
Updated 2024-11-04
CVE-2024-8739 - Recaptcha Integration Plugin
The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Recaptcha Integration
CVE-2024-8739
Risk Score
Threat Entry
Updated 2024-11-04
CVE-2024-9868 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Age Gate Widget 'url' parameter in all versions up to, and including, 5.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-9868
Risk Score
Threat Entry
Updated 2024-11-04
CVE-2024-10540 - Bookingpress Plugin
The Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to SQL Injection via the 'service' parameter of the bookingpress_form shortcode in all versions up to, and including, 1.1.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Bookingpress
CVE-2024-10540
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-44020 - Wp Free Ssl Plugin
Missing Authorization vulnerability in Prasad Kirpekar WP Free SSL – Free SSL Certificate for WordPress and force HTTPS allows . This issue affects WP Free SSL – Free SSL Certificate for WordPress and force HTTPS: from n/a through 1.2.6.
PLUGIN
Wp Free Ssl
CVE-2024-44020
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-43268 - WordPress Core
Access Control vulnerability in WPBackItUp Backup and Restore WordPress allows . This issue affects Backup and Restore WordPress: from n/a through 1.50.
CORE
WordPress Core
CVE-2024-43268
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-43270 - WordPress Core
Missing Authorization vulnerability in WPBackItUp Backup and Restore WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Backup and Restore WordPress: from n/a through 1.50.
CORE
WordPress Core
CVE-2024-43270
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-43235 - WordPress Core
Missing Authorization vulnerability in MetaBox.Io Meta Box – WordPress Custom Fields Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Meta Box – WordPress Custom Fields Framework: from n/a through 5.9.10.
CORE
WordPress Core
CVE-2024-43235
Risk Score