Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-26
CVE-2024-43237 - WordPress Core
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups.This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.3.
CORE
WordPress Core
CVE-2024-43237
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8546 - Elementskit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video widget in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit Elementor Addons
CVE-2024-8546
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8858 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Elementor
CVE-2024-8858
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-9169 - Litespeed Cache Plugin
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Litespeed Cache
CVE-2024-9169
Risk Score
Threat Entry
Updated 2024-10-03
CVE-2024-8910 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.
PLUGIN
Ht Mega
CVE-2024-8910
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8290 - Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.12 via the WCFM_Customers_Manage_Controller::processing function due to missing validation on the ID user controlled key. This makes it possible for authenticated attackers, with subscriber/customer-level access and above, to change the email address of administrator user accounts which allows them to reset the password and access the administrator account.
PLUGIN
Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
CVE-2024-8290
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8678 - Revolut Gateway For Woocommerce Plugin
The Revolut Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wc/v3/revolut REST API endpoint in all versions up to, and including, 4.17.3. This makes it possible for unauthenticated attackers to mark orders as completed.
PLUGIN
Revolut Gateway For Woocommerce
CVE-2024-8678
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-3866 - Ninja Forms Plugin
The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to…
PLUGIN
Ninja Forms
CVE-2024-3866
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8658 - Mycred Plugin
The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mycred_update_database() function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to upgrade an out of date database.
PLUGIN
Mycred
CVE-2024-8658
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2024-6845 - Chatbot With Chatgpt Plugin
The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key
PLUGIN
Chatbot With Chatgpt
CVE-2024-6845
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7878 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-7878
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7892 - Adstxt Plugin
The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Adstxt
CVE-2024-7892
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8275 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'tribe_has_next_event' function in all versions up to, and including, 6.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only sites that have manually added tribe_has_next_event() will be vulnerable to this SQL injection.
PLUGIN
The Events Calendar
CVE-2024-8275
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8668 - Woolentor Woocommerce Elementor Addons Builder Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tooltip and countdown functionality in all versions up to, and including, 2.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woolentor Woocommerce Elementor Addons Builder
CVE-2024-8668
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8516 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract limited post information from draft and future scheduled posts.
THEME
Themesflat Addons For Elementor
CVE-2024-8516
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8514 - Google Website Translator Plugin
The Prisna GWT – Google Website Translator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.11 via deserialization of untrusted input from the 'prisna_import' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…
PLUGIN
Google Website Translator
CVE-2024-8514
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7385 - Wordpress Simple Html Sitemap Plugin
The WordPress Simple HTML Sitemap plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wordpress Simple Html Sitemap
CVE-2024-7385
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8515 - Themesflat Addons For Elementor
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like 'TF E Slider Widget', 'TF Video Widget', 'TF Team Widget' and more in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on URL attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Themesflat Addons For Elementor
CVE-2024-8515
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-9073 - Free Gutenberg Blocks Plugin
The GutenGeek Free Gutenberg Blocks for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Free Gutenberg Blocks
CVE-2024-9073
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-9069 - Graphicsly Plugin
The Graphicsly – The ultimate graphics plugin for WordPress website builder ( Gutenberg, Elementor, Beaver Builder, WPBakery ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Graphicsly
CVE-2024-9069
Risk Score