Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-15
CVE-2024-9864 - Eventprime Plugin
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket names in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when front-end users can submit new events with tickets.
PLUGIN
Eventprime
CVE-2024-9864
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9374 - Terms Descriptions Plugin
The Terms descriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Terms Descriptions
CVE-2024-9374
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10250 - Nioland Plugin
The Nioland theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Nioland
CVE-2024-10250
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-8500 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 7.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Ultimate
CVE-2024-8500
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9530 - Qi Addons For Elementor Plugin
The Qi Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.0 via private templates. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the contents of templates that are private.
PLUGIN
Qi Addons For Elementor
CVE-2024-9530
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10045 - Transients Manager Plugin
The Transients Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.6. This is due to missing or incorrect nonce validation on the process_actions function. This makes it possible for unauthenticated attackers to delete transients via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Transients Manager
CVE-2024-10045
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9947 - Profilepress Plugin
The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Profilepress
CVE-2024-9947
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9583 - Rss Aggregator Plugin
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on the wprss_ajax_send_premium_support function in all versions up to, and including, 4.23.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send premium support requests with an attacker-controlled subject line and email address to support allowing them to impersonate the site owner. License information may also be leaked.
PLUGIN
Rss Aggregator
CVE-2024-9583
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9829 - Download Plugin
The Download Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the 'dpwap_handle_download_user' and 'dpwap_handle_download_comment' functions in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download any comment, and download metadata for any user including user PII and sensitive information including username, email, hashed passwords and application passwords, session token information and more depending on set up and additional plugins installed.
PLUGIN
Download
CVE-2024-9829
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9927 - Woocommerce Order Proposal Plugin
The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to log in to WordPress as an arbitrary user account, including administrators.
PLUGIN
Woocommerce Order Proposal
CVE-2024-9927
Risk Score
Threat Entry
Updated 2024-10-30
CVE-2024-9231 - Wp Members Plugin
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.9.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Members
CVE-2024-9231
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-10189 - Anchor Episodes Index Plugin
The Anchor Episodes Index (Spotify for Podcasters) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's anchor_episodes shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Anchor Episodes Index
CVE-2024-10189
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9591 - Category And Taxonomy Image Plugin
The Category and Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_category_image' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Image
CVE-2024-9591
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9590 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image meta field value in the 'wpaft_add_meta_textinput' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with editor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9590
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9589 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'new_meta_name' parameter in the 'wpaft_option_page' function in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9589
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9588 - Category And Taxonomy Meta Fields Plugin
The Category and Taxonomy Meta Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'wpaft_option_page' function. This makes it possible for unauthenticated attackers to add and delete taxonomy meta, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Category And Taxonomy Meta Fields
CVE-2024-9588
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9541 - News Kit Elementor Addons Plugin
The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
News Kit Elementor Addons
CVE-2024-9541
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-9627 - Teplobot Plugin
The TeploBot - Telegram Bot for WP plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'service_process' function in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to view the Telegram Bot Token, which is a secret token to control the bot.
PLUGIN
Teplobot
CVE-2024-9627
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-8852 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.86 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information such as full paths contained in the exposed log files.
PLUGIN
All In One Wp Migration
CVE-2024-8852
Risk Score
Threat Entry
Updated 2024-10-25
CVE-2024-10003 - Rover Idx Plugin
The Rover IDX plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 3.0.0.2903. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options.
PLUGIN
Rover Idx
CVE-2024-10003
Risk Score