Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-04
CVE-2024-9106 - Wechat Social Login Plugin
The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value.
PLUGIN
Wechat Social Login
CVE-2024-9106
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-9119 - Svg Complete Plugin
The SVG Complete plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Svg Complete
CVE-2024-9119
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8990 - Geo Mashup Plugin
The Geo Mashup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's geo_mashup_visible_posts_list shortcode in all versions up to, and including, 1.13.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Geo Mashup
CVE-2024-8990
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8989 - Stars Testimonials Plugin
The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stars_testimonials shortcode in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stars Testimonials
CVE-2024-8989
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8720 - Rumbletalk Chat A Chat With Themes Plugin
The RumbleTalk Live Group Chat – HTML5 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rumbletalk-admin-button' shortcode in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rumbletalk Chat A Chat With Themes
CVE-2024-8720
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8728 - Easy Load More Plugin
The Easy Load More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Easy Load More
CVE-2024-8728
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8727 - Dk Pdf Plugin
The DK PDF plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Dk Pdf
CVE-2024-8727
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8718 - Gravity Forms Toolbar Plugin
The Gravity Forms Toolbar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gravity Forms Toolbar
CVE-2024-8718
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-8548 - Kb Support Plugin
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in all versions up to, and including, 1.6.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple administrative actions, such as replying to arbitrary tickets, updating the status of any post, deleting any post, adding notes to tickets, flagging or unflagging tickets, and adding or removing ticket participants.
PLUGIN
Kb Support
CVE-2024-8548
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-7869 - 123 Chat Videochat Plugin
The 123.chat - Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
123 Chat Videochat
CVE-2024-7869
Risk Score
Threat Entry
Updated 2025-02-10
CVE-2024-8632 - Kb Support Plugin
The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'kbs_ajax_load_front_end_replies' and 'kbs_ajax_mark_reply_as_read' functions in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to read replies of any ticket, and mark any reply as read.
PLUGIN
Kb Support
CVE-2024-8632
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8675 - Soumettre Fr Plugin
The Soumettre.fr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the soumettre_disconnect_gateway function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the gateway and delete the API key.
PLUGIN
Soumettre Fr
CVE-2024-8675
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-7434 - Ultrapress Plugin
The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Ultrapress
CVE-2024-7434
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-7433 - Empowerment Plugin
The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Empowerment
CVE-2024-7433
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-7432 - Unseen Blog Plugin
The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Unseen Blog
CVE-2024-7432
Risk Score
Threat Entry
Updated 2024-11-13
CVE-2024-8107 - Slider Revolution Plugin
The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. By default, this can only be exploited by administrators, but the ability to use and configure Slider Revolution can be extended to authors.
PLUGIN
Slider Revolution
CVE-2024-8107
Risk Score
Threat Entry
Updated 2024-10-04
CVE-2024-8981 - Broken Link Checker Plugin
The Broken Link Checker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg in /app/admin-notices/features/class-view.php without appropriate escaping on the URL in all versions up to, and including, 2.4.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Broken Link Checker
CVE-2024-8981
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8379 - Cost Calculator Builder Plugin
The Cost Calculator Builder WordPress plugin before 3.2.29 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
PLUGIN
Cost Calculator Builder
CVE-2024-8379
Risk Score
Threat Entry
Updated 2024-10-03
CVE-2024-8536 - Ultimate Blocks Plugin
The Ultimate Blocks WordPress plugin before 3.2.2 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Ultimate Blocks
CVE-2024-8536
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8239 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.3 does not properly render social media profiles URLs in certain contexts, like the malicious user's profile or pages where the starbox shortcode is used, which may be abused by users with at least the contributor role to conduct Stored XSS attacks.
PLUGIN
Before 3
CVE-2024-8239
Risk Score