Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-10-02
CVE-2024-9068 - Oneelements Plugin
The OneElements – Best Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Oneelements
CVE-2024-9068
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-9028 - Wp Gpx Maps Plugin
The WP GPX Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sgpx' shortcode in all versions up to, and including, 1.7.08 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Gpx Maps
CVE-2024-9028
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-9027 - Wpzoom Shortcodes Plugin
The WPZOOM Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'box' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpzoom Shortcodes
CVE-2024-9027
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-9024 - Material Design Icons Plugin
The Material Design Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mdi-icon shortcode in all versions up to, and including, 0.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Material Design Icons
CVE-2024-9024
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8741 - Beam Me Up Scotty Plugin
The Beam me up Scotty – Back to Top Button plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Beam Me Up Scotty
CVE-2024-8741
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8621 - Daily Prayer Time Plugin
The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Daily Prayer Time
CVE-2024-8621
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8485 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
PLUGIN
Rest Api To Miniprogram
CVE-2024-8485
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8713 - Kodex Posts Likes Plugin
The Kodex Posts likes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Kodex Posts Likes
CVE-2024-8713
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8549 - Simple Calendar Plugin
The Simple Calendar – Google Calendar Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.4.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Calendar
CVE-2024-8549
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8484 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Rest Api To Miniprogram
CVE-2024-8484
Risk Score
Threat Entry
Updated 2024-12-26
CVE-2024-8481 - The Special Text Boxes Plugin
The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Special Text Boxes
CVE-2024-8481
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8483 - Mas Static Content Plugin
The MAS Static Content plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.8 via the static_content() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract potentially sensitive information from private static content pages.
PLUGIN
Mas Static Content
CVE-2024-8483
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8476 - Easy Paypal Events Plugin
The Easy PayPal Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the wpeevent_plugin_buttons() function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Paypal Events
CVE-2024-8476
Risk Score
Threat Entry
Updated 2024-12-17
CVE-2024-8434 - Mega Menu Plugin
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
PLUGIN
Mega Menu
CVE-2024-8434
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8350 - Uncanny Groups For Learndash Plugin
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site.
PLUGIN
Uncanny Groups For Learndash
CVE-2024-8350
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-8349 - Uncanny Groups For Learndash Plugin
The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0.1. This is due to the plugin not properly restricting what users a group leader can edit. This makes it possible for authenticated attackers, with group leader-level access and above, to change admin account email addresses which can subsequently lead to admin account access.
PLUGIN
Uncanny Groups For Learndash
CVE-2024-8349
Risk Score
Threat Entry
Updated 2024-10-02
CVE-2024-7617 - Contact Form To Any Api Plugin
The Contact Form to Any API plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 form fields in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Form To Any Api
CVE-2024-7617
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-7491 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.6.1 via the woof_messenger_remove_subscr AJAX action due to missing validation on the 'key' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to unsubscribe users from a product notification sign-ups, if they can successfully obtain or brute force the key value for users who signed up to receive notifications. This vulnerability requires the plugin's Products Messenger extension to be…
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2024-7491
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-7426 - Peepso Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.6.0. This is due to the plugin displaying errors and allowing direct access to the sse.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Peepso
CVE-2024-7426
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-7386 - Premium Packages Sell Digital Products Securely Plugin
The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund() function. This makes it possible for unauthenticated attackers to perform actions such as initiating refunds via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
PLUGIN
Premium Packages Sell Digital Products Securely
CVE-2024-7386
Risk Score