Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-30
CVE-2024-6590 - Spreadsheet Integration Plugin
The Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 3.7.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit post status, edit Google sheet integrations, and create Google sheet integrations.
PLUGIN
Spreadsheet Integration
CVE-2024-6590
Risk Score
Threat Entry
Updated 2025-12-31
CVE-2024-8914 - Thanh Toan Quet Ma Qr Code Tu Dong Plugin
The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Thanh Toan Quet Ma Qr Code Tu Dong
CVE-2024-8914
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8919 - Confetti Fall Animation Plugin
The Confetti Fall Animation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'confetti-fall-animation' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Confetti Fall Animation
CVE-2024-8919
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8917 - Football Leagues Plugin
The AnWP Football Leagues plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.16.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Football Leagues
CVE-2024-8917
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8801 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.2 via the Content Switcher widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including private, draft, and pending Elementor templates.
PLUGIN
Happy Addons For Elementor
CVE-2024-8801
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2024-8436 - Wp Easy Gallery Plugin
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to SQL Injection via the 'edit_imageId' and 'edit_imageDelete' parameters in all versions up to, and including, 4.8.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Easy Gallery
CVE-2024-8436
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-8437 - Wp Easy Gallery Plugin
The WP Easy Gallery – WordPress Gallery Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX like wpeg_settings and wpeg_add_gallery in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify galleries.
PLUGIN
Wp Easy Gallery
CVE-2024-8437
Risk Score
Threat Entry
Updated 2025-08-26
CVE-2024-8267 - Radio Player Plugin
The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute within the 'wp:radio-player' Gutenberg block in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Radio Player
CVE-2024-8267
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8103 - Wp Category Dropdown Plugin
The WP Category Dropdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Category Dropdown
CVE-2024-8103
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2023-5359 - W3 Total Cache Plugin
The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.
PLUGIN
W3 Total Cache
CVE-2023-5359
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8791 - Charitable Plugin
The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14. This is due to the plugin not properly verifying a user's identity when the ID parameter is supplied through the update_core_user() function. This makes it possible for unauthenticated attackers to update the email address and password of arbitrary user accounts, including administrators, which can then be used to log in to those user accounts.
PLUGIN
Charitable
CVE-2024-8791
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8671 - Wooevents Plugin
The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php file in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to overwrite arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wooevents
CVE-2024-8671
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8794 - Ba Book Everything Plugin
The BA Book Everything plugin for WordPress is vulnerable to arbitrary password reset in all versions up to, and including, 1.6.20. This is due to the reset_user_password() function not verifying a user's identity prior to setting a password. This makes it possible for unauthenticated attackers to reset any user's passwords, including administrators. It's important to note that the attacker will not have access to the generated password, therefore, privilege escalation is not possible.
PLUGIN
Ba Book Everything
CVE-2024-8794
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8624 - Wordpress Meta Data And Taxonomies Filter Plugin
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' attribute of the 'mdf_select_title' shortcode in all versions up to, and including, 1.3.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-8624
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8623 - Wordpress Meta Data And Taxonomies Filter Plugin
The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-8623
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8628 - Mailoptin Plugin
The Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-meta' shortcode in all versions up to, and including, 1.2.70.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mailoptin
CVE-2024-8628
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8795 - Ba Book Everything Plugin
The BA Book Everything plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.20. This is due to missing or incorrect nonce validation on the my_account_update() function. This makes it possible for unauthenticated attackers to update a user's account details via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to reset a user's password and gain access to their account.
PLUGIN
Ba Book Everything
CVE-2024-8795
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8738 - Seriously Simple Stats Plugin
The Seriously Simple Stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seriously Simple Stats
CVE-2024-8738
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8716 - Xt Ajax Add To Cart For Woocommerce Plugin
The XT Ajax Add To Cart for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Xt Ajax Add To Cart For Woocommerce
CVE-2024-8716
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8662 - Koko Analytics Plugin
The Koko Analytics plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3.12. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Koko Analytics
CVE-2024-8662
Risk Score