Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-13
CVE-2024-50451 - Meta Data And Taxonomies Filter Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4.
PLUGIN
Meta Data And Taxonomies Filter
CVE-2024-50451
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-50450 - Wordpress Meta Data And Taxonomies Filter Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-50450
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9162 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible.
PLUGIN
All In One Wp Migration
CVE-2024-9162
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9501 - Wp Social Plugin
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Wp Social
CVE-2024-9501
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-10402 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.35.1. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to create new or edit existing forms, including updating the default registration role to Administrator on User Registration forms.
PLUGIN
Forminator Forms
CVE-2024-10402
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-10117 - Wp Crowdfunding Plugin
The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpcf_donate shortcode in all versions up to, and including, 2.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Crowdfunding
CVE-2024-10117
Risk Score
Threat Entry
Updated 2024-11-25
CVE-2024-9772 - Uix Shortcodes Plugin
The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Uix Shortcodes
CVE-2024-9772
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9116 - Monkee Boy Wp Essentials Plugin
The Monkee-Boy Essentials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Monkee Boy Wp Essentials
CVE-2024-9116
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-10357 - Cafe Lite Plugin
The Clever Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.1 via the getTemplateContent function in src/widgets/class-clever-widget-base.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Cafe Lite
CVE-2024-10357
Risk Score
Threat Entry
Updated 2024-11-22
CVE-2024-9967 - Wp Show More Plugin
The WP show more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's show_more shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Show More
CVE-2024-9967
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9853 - Idsk Toolkit Plugin
The ID-SK Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Idsk Toolkit
CVE-2024-9853
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9642 - Editor Custom Color Palette Plugin
The Editor Custom Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Editor Custom Color Palette
CVE-2024-9642
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-9637 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.10. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with teacher-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Wpschoolpress
CVE-2024-9637
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-8392 - Sogrid Plugin
The WordPress Post Grid Layouts with Pagination – Sogrid plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.5.2 via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.…
PLUGIN
Sogrid
CVE-2024-8392
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-10092 - Download Monitor Plugin
The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.
PLUGIN
Download Monitor
CVE-2024-10092
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9456 - Wp Awesome Login Plugin
The WP Awesome Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wp Awesome Login
CVE-2024-9456
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-8870 - Mailchimp Wp Plugin
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mailchimp Wp
CVE-2024-8870
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9933 - Watchtowerhq Plugin
The WatchTowerHQ plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.6. This is due to the 'watchtower_ota_token' default value is empty, and the not empty check is missing in the 'Password_Less_Access::login' function. This makes it possible for unauthenticated attackers to log in to the WatchTowerHQ client administrator user.
PLUGIN
Watchtowerhq
CVE-2024-9933
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-9932 - Wux Blog Editor Plugin
The Wux Blog Editor plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'wuxbt_insertImageNew' function in versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wux Blog Editor
CVE-2024-9932
Risk Score
Threat Entry
Updated 2024-10-28
CVE-2024-9931 - Wux Blog Editor Plugin
The Wux Blog Editor plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.0. This is due to missing validation on the token being supplied during the autologin through the plugin. This makes it possible for unauthenticated attackers to log in to the first administrator user.
PLUGIN
Wux Blog Editor
CVE-2024-9931
Risk Score