Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-25
CVE-2024-10002 - Rover Idx Plugin
The Rover IDX plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0.0.2905. This is due to insufficient validation and capability check on the 'rover_idx_refresh_social_callback' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in to administrator. The vulnerability is partially patched in version 3.0.0.2905 and fully patched in version 3.0.0.2906.
PLUGIN
Rover Idx
CVE-2024-10002
Risk Score
Threat Entry
Updated 2024-10-24
CVE-2024-8625 - Before 2 Plugin
The TS Poll WordPress plugin before 2.4.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 2
CVE-2024-8625
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-49627 - Wordpress Image Seo Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Noor Alam WordPress Image SEO allows Cross Site Request Forgery.This issue affects WordPress Image SEO: from n/a through 1.1.4.
PLUGIN
Wordpress Image Seo
CVE-2024-49627
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9897 - Twitch Integration Plugin
The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sw-twitch-embed shortcode in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Twitch Integration
CVE-2024-9897
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9889 - Elementinvader Addons For Elementor Plugin
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.9 via the Page Loader widget. This makes it possible for authenticated attackers, with contributor-level access and above, to view private/draft/password protected posts, pages, and Elementor templates that they should not have access to.
PLUGIN
Elementinvader Addons For Elementor
CVE-2024-9889
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2023-6243 - Eventon Pro Wordpress Virtual Event Calendar Plugin
The EventON PRO - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.8. This is due to missing or incorrect nonce validation on the admin_test_email function. This makes it possible for unauthenticated attackers to send test emails to arbitrary email addresses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Eventon Pro Wordpress Virtual Event Calendar
CVE-2023-6243
Risk Score
Threat Entry
Updated 2024-11-01
CVE-2024-9219 - Social Share Buttons Plugin
The WordPress Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.19. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Social Share Buttons
CVE-2024-9219
Risk Score
Threat Entry
Updated 2024-10-29
CVE-2024-9593 - Time Clock Plugin
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
PLUGIN
Time Clock
CVE-2024-9593
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9674 - Debrandify Plugin
The Debrandify · Remove or Replace WordPress Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Debrandify
CVE-2024-9674
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9425 - Advanced Category And Custom Taxonomy Image Plugin
The Advanced Category and Custom Taxonomy Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ad_tax_image shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Category And Custom Taxonomy Image
CVE-2024-9425
Risk Score
Threat Entry
Updated 2024-10-21
CVE-2024-49231 - Wordpress Video Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Peter CyClop WordPress Video allows Stored XSS.This issue affects WordPress Video: from n/a through 1.0.
PLUGIN
Wordpress Video
CVE-2024-49231
Risk Score
Threat Entry
Updated 2024-10-21
CVE-2024-10057 - Rss Feed Widget Plugin
The RSS Feed Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rfw-youtube-videos shortcode in all versions up to, and including, 2.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rss Feed Widget
CVE-2024-10057
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10079 - Wp Easy Post Types Plugin
The WP Easy Post Types plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.4 via deserialization of untrusted input from the 'text' parameter in the 'ajax_import_content' function. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Wp Easy Post Types
CVE-2024-10079
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10078 - Wp Easy Post Types Plugin
The WP Easy Post Types plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 1.4.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to add, modify, or delete plugin options and posts.
PLUGIN
Wp Easy Post Types
CVE-2024-10078
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10080 - Wp Easy Post Types Plugin
The WP Easy Post Types plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Post Types
CVE-2024-10080
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-10055 - Click To Chat Plugin
The Click to Chat – WP Support All-in-One Floating Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsaio_snapchat shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Click To Chat
CVE-2024-10055
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9703 - Arconix Shortcodes Plugin
The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Arconix Shortcodes
CVE-2024-9703
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9206 - Mas Companies For Wp Job Manager Plugin
The MAS Companies For WP Job Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mas Companies For Wp Job Manager
CVE-2024-9206
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9892 - Add Widget After Content Plugin
The Add Widget After Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Add Widget After Content
CVE-2024-9892
Risk Score
Threat Entry
Updated 2024-10-22
CVE-2024-9848 - Product Customizer Light Plugin
The Product Customizer Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Product Customizer Light
CVE-2024-9848
Risk Score