Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-9213 - Persian Woocommerce Sms Plugin
The افزونه پیامک ووکامرس Persian WooCommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Persian Woocommerce Sms
CVE-2024-9213
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9352 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Forminator Forms
CVE-2024-9352
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9351 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Forminator Forms
CVE-2024-9351
Risk Score
Threat Entry
Updated 2025-05-17
CVE-2024-5429 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.1.0 does not validate and escape some of its Slider Settings before outputting them back in attributes, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-5429
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9263 - Wp Timetics Ai Powered Appointment Booking Calendar And Online Scheduling Plugin
The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to Account Takeover/Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 1.0.25 via the save() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to reset the emails and passwords of arbitrary user accounts, including administrators, which makes account takeover and privilege escalation possible.
PLUGIN
Wp Timetics Ai Powered Appointment Booking Calendar And Online Scheduling
CVE-2024-9263
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2024-9347 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpext-export' parameter in all versions up to, and including, 3.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Extended
CVE-2024-9347
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-8719 - Idx Plugin
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters like 'MaxBeds' and 'MinBeds' in all versions up to, and including, 3.14.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Idx
CVE-2024-8719
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2024-7417 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.986 via the data_fetch. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protected posts.
PLUGIN
Royal Elementor Addons
CVE-2024-7417
Risk Score
Threat Entry
Updated 2024-11-18
CVE-2024-49593 - Advanced Custom Fields Plugin
In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below.
PLUGIN
Advanced Custom Fields
CVE-2024-49593
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9863 - Miniorange Firebase Sms Otp Verification Plugin
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'default_user_role' option. This makes it possible for unauthenticated attackers to register an administrator user even if the registration form is disabled.
PLUGIN
Miniorange Firebase Sms Otp Verification
CVE-2024-9863
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-9940 - Calculated Fields Form Plugin
The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.
PLUGIN
Calculated Fields Form
CVE-2024-9940
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-9862 - Otp Verification With Firebase Plugin
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
PLUGIN
Otp Verification With Firebase
CVE-2024-9862
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-9861 - Otp Verification With Firebase Plugin
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.6.0. This is due to missing validation on the token being supplied during the otp login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the phone number associated with that user.
PLUGIN
Otp Verification With Firebase
CVE-2024-9861
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9240 - Redi Restaurant Reservation Plugin
The ReDi Restaurant Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 24.0902. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Redi Restaurant Reservation
CVE-2024-9240
Risk Score
Threat Entry
Updated 2024-10-18
CVE-2024-9215 - Publishpress Authors Plugin
The Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors plugin for WordPress is vulnerable to Insecure Direct Object Reference to Privilege Escalation/Account Takeover in all versions up to, and including, 4.7.1 via the action_edited_author() due to missing validation on the 'authors-user_id' user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update arbitrary user accounts email addresses, including administrators, which can then be leveraged to reset that user's account password and gain access.
PLUGIN
Publishpress Authors
CVE-2024-9215
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-9893 - Nextend Facebook Connect Plugin
The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Nextend Facebook Connect
CVE-2024-9893
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-49260 - WordPress Core
Unrestricted Upload of File with Dangerous Type vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery allows Code Injection.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7.
CORE
WordPress Core
CVE-2024-49260
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-49258 - WordPress Core
Path Traversal: '.../...//' vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7.
CORE
WordPress Core
CVE-2024-49258
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-8921 - Zita Elementor Site Library Plugin
The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Zita Elementor Site Library
CVE-2024-8921
Risk Score
Threat Entry
Updated 2025-11-07
CVE-2024-9444 - Elementsready Plugin
The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Elementsready
CVE-2024-9444
Risk Score