Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-01
CVE-2024-8512 - W3speedster Wp Plugin
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
PLUGIN
W3speedster Wp
CVE-2024-8512
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-8444 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.00 doesn't sanitize some of it's shortcode parameters, leading to cross site scripting.
PLUGIN
Download Manager
CVE-2024-8444
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10223 - Ht Team Member Plugin
The WP Team – WordPress Team Member Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's htteamember shortcode in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Team Member
CVE-2024-10223
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10108 - Wpadverts Plugin
The WPAdverts – Classifieds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's adverts_add shortcode in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpadverts
CVE-2024-10108
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-8871 - Easy Pricing Tables Plugin
The Pricing Tables WordPress Plugin – Easy Pricing Tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Easy Pricing Tables
CVE-2024-8871
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-10399 - Download Monitor Plugin
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_search_users function in all versions up to, and including, 5.0.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain usernames and emails of site users.
PLUGIN
Download Monitor
CVE-2024-10399
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9886 - Wp Baidu Map Plugin
The WP Baidu Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'baidu_map' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Baidu Map
CVE-2024-9886
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9885 - Widget Or Sidebar Per Shortcode Plugin
The Widget or Sidebar Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sidebar' shortcode in all versions up to, and including, 0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widget Or Sidebar Per Shortcode
CVE-2024-9885
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9884 - T Countdown Plugin
The T(-) Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tminus' shortcode in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
T Countdown
CVE-2024-9884
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9846 - Enable Shortcodes Inside Widgets Comments And Experts Plugin
The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Enable Shortcodes Inside Widgets Comments And Experts
CVE-2024-9846
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-8627 - Ultimate Tinymce Plugin
The Ultimate TinyMCE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'field' shortcode in all versions up to, and including, 5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Tinymce
CVE-2024-8627
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-8792 - Subscribe To Comments Plugin
The Subscribe to Comments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Subscribe To Comments
CVE-2024-8792
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2023-5816 - Code Explorer Plugin
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
PLUGIN
Code Explorer
CVE-2023-5816
Risk Score
Threat Entry
Updated 2024-11-07
CVE-2024-9989 - Crypto Tool Plugin
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Crypto Tool
CVE-2024-9989
Risk Score
Threat Entry
Updated 2024-11-07
CVE-2024-9988 - Crypto Tool Plugin
The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due to missing validation on the user being supplied in the 'crypto_connect_ajax_process::register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Crypto Tool
CVE-2024-9988
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-9990 - Crypto Tool Plugin
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Crypto Tool
CVE-2024-9990
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-50459 - Aidwp Plugin
Missing Authorization vulnerability in HM Plugin WordPress Stripe Donation and Payment Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Stripe Donation and Payment Plugin: from n/a through 3.2.3.
PLUGIN
Aidwp
CVE-2024-50459
Risk Score
Threat Entry
Updated 2024-11-06
CVE-2024-50466 - Advanced Dark Mode Plugin
Cross-Site Request Forgery (CSRF) vulnerability in DarkMySite DarkMySite – Advanced Dark Mode Plugin for WordPress darkmysite allows Cross Site Request Forgery.This issue affects DarkMySite – Advanced Dark Mode Plugin for WordPress: from n/a through 1.2.8.
PLUGIN
Advanced Dark Mode
CVE-2024-50466
Risk Score
Threat Entry
Updated 2024-11-08
CVE-2024-7985 - Fileorganizer Plugin
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the "fileorganizer_ajax_handler" function in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: The FileOrganizer Pro plugin must be installed and active to allow Subscriber+ users to upload files.
PLUGIN
Fileorganizer
CVE-2024-7985
Risk Score
Threat Entry
Updated 2024-10-31
CVE-2024-9505 - Beaver Builder Plugin
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.8.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beaver Builder
CVE-2024-9505
Risk Score