Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-07
CVE-2024-9289 - Affiliate Pro Plugin
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. This makes it possible for unauthenticated attackers to log in as any user, including administrators, granted they have access to the administrator's email.
PLUGIN
Affiliate Pro
CVE-2024-9289
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9265 - Echo Rss Feed Post Generator Plugin
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it possible for unauthenticated attackers to register as an administrator.
PLUGIN
Echo Rss Feed Post Generator
CVE-2024-9265
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9241 - Pdf Image Generator Plugin
The PDF Image Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pdf Image Generator
CVE-2024-9241
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9224 - Hello World Plugin
The Hello World plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 2.1.1 via the hello_world_lyric() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Hello World
CVE-2024-9224
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9228 - Loggedin Plugin
The Loggedin – Limit Active Logins plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present.
PLUGIN
Loggedin
CVE-2024-9228
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9220 - Lh Copy Media File Plugin
The LH Copy Media File plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.08. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Lh Copy Media File
CVE-2024-9220
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9209 - Wp Search Analytics Plugin
The WP Search Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Search Analytics
CVE-2024-9209
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-9018 - Wp Easy Gallery Plugin
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the ‘key’ parameter in all versions up to, and including, 4.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Easy Gallery
CVE-2024-9018
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8799 - Custom Banners Plugin
The Custom Banners plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Custom Banners
CVE-2024-8799
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8793 - Store Exporter For Woocommerce Plugin
The Store Exporter for WooCommerce – Export Products, Export Orders, Export Subscriptions, and More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.2.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Store Exporter For Woocommerce
CVE-2024-8793
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8786 - Auto Featured Image From Title Plugin
The Auto Featured Image from Title plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Auto Featured Image From Title
CVE-2024-8786
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8324 - Xo Liteslider Plugin
The XO Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘get_slider’ function in all versions up to, and including, 3.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Xo Liteslider
CVE-2024-8324
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8430 - Spice Starter Sites Plugin
The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spice_starter_sites_importer_creater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo content.
PLUGIN
Spice Starter Sites
CVE-2024-8430
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8288 - Guten Post Layout Plugin
The Guten Post Layout – An Advanced Post Grid Collection for WordPress Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:guten-post-layout/post-grid' Gutenberg block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Guten Post Layout
CVE-2024-8288
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9304 - Locateandfilter Plugin
The LocateAndFilter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Locateandfilter
CVE-2024-9304
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9274 - Elastik Page Builder Plugin
The Elastik Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Elastik Page Builder
CVE-2024-9274
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9272 - R Animated Icon Plugin
The R Animated Icon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
R Animated Icon
CVE-2024-9272
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9269 - Relogo Plugin
The Relogo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Relogo
CVE-2024-9269
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9267 - Opt In Hound Plugin
The Easy WordPress Subscribe – Optin Hound plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Opt In Hound
CVE-2024-9267
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9108 - Wechat Social Login Plugin
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wechat Social Login
CVE-2024-9108
Risk Score