Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-15
CVE-2024-9670 - 2d Tag Cloud Widget By Sujin Plugin
The 2D Tag Cloud plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 6.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
2d Tag Cloud Widget By Sujin
CVE-2024-9670
Risk Score
Threat Entry
Updated 2024-11-25
CVE-2024-9776 - Imagepress Plugin
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Imagepress
CVE-2024-9776
Risk Score
Threat Entry
Updated 2024-11-25
CVE-2024-9778 - Imagepress Plugin
The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the 'imagepress_admin_page' function. This makes it possible for unauthenticated attackers to update plugin settings, including redirection URLs, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imagepress
CVE-2024-9778
Risk Score
Threat Entry
Updated 2024-10-16
CVE-2024-7489 - Mailchimp Wp Plugin
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mailchimp Wp
CVE-2024-7489
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9187 - Read More Plugin
The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons.
PLUGIN
Read More
CVE-2024-9187
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9821 - Bot For Telegram On Woocommerce Plugin
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature.
PLUGIN
Bot For Telegram On Woocommerce
CVE-2024-9821
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9860 - Bridge Core Plugin
The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins.
PLUGIN
Bridge Core
CVE-2024-9860
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9592 - Paypal Gift Certificate Plugin
The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgc_plugin_options' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Paypal Gift Certificate
CVE-2024-9592
Risk Score
Threat Entry
Updated 2024-11-25
CVE-2024-9707 - Hunk Companion Plugin
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
PLUGIN
Hunk Companion
CVE-2024-9707
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9616 - Block Pattern Builder Plugin
The BlockMeister – Block Pattern Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Block Pattern Builder
CVE-2024-9616
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9611 - Increase Upload File Size Maximum Execution Time Limit Plugin
The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Increase Upload File Size Maximum Execution Time Limit
CVE-2024-9611
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9610 - Language Switcher Plugin
The Language Switcher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.7.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Language Switcher
CVE-2024-9610
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9587 - Linkz Ai Plugin
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_linkz' function in versions up to, and including, 1.1.8. This makes it possible for authenticated attackers with contributor-level privileges or above, to update plugin settings.
PLUGIN
Linkz Ai
CVE-2024-9587
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-9586 - Linkz Ai Plugin
The Linkz.ai plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'check_auth' and 'check_logout' functions in versions up to, and including, 1.1.8. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Linkz Ai
CVE-2024-9586
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9543 - Powerpress Podcasting Plugin By Blubrry
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpress Podcasting Plugin By Blubrry
CVE-2024-9543
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9507 - Bit Form Plugin
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.15.2 due to improper input validation within the iconUpload function. This makes it possible for authenticated attackers, with Administrator-level access and above, to leverage a PHP filter chain attack and read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bit Form
CVE-2024-9507
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2024-9538 - Shoplentor Plugin
The ShopLentor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.8 via the 'render' function in includes/addons/wl_faq.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
PLUGIN
Shoplentor
CVE-2024-9538
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9234 - Gutenkit Blocks Addon Plugin
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
PLUGIN
Gutenkit Blocks Addon
CVE-2024-9234
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9436 - Approve And Schedule Content Changes Plugin
The PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.5.14. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Approve And Schedule Content Changes
CVE-2024-9436
Risk Score
Threat Entry
Updated 2024-10-15
CVE-2024-9346 - Video Embed Privacy Plugin
The Embed videos and respect privacy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'v' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Video Embed Privacy
CVE-2024-9346
Risk Score