Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-27
CVE-2024-8657 - Garden Gnome Package Plugin
The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ggpkg shortcode in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Garden Gnome Package
CVE-2024-8657
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8544 - Pixel Cat Plugin
The Pixel Cat – Conversion Pixel Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pixel Cat
CVE-2024-8544
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8432 - Webba Booking Plugin
The Appointment & Event Booking Calendar Plugin – Webba Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_appearance() function in all versions up to, and including, 5.0.48. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the booking form's CSS.
PLUGIN
Webba Booking
CVE-2024-8432
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8758 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 9
CVE-2024-8758
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8680 - Mailchimp Plugin
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Mailchimp
CVE-2024-8680
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8853 - Webo Facto Plugin
The Webo-facto plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.40 due to insufficient restriction on the 'doSsoAuthentification' function. This makes it possible for unauthenticated attackers to make themselves administrators by registering with a username that contains '-wfuser'.
PLUGIN
Webo Facto
CVE-2024-8853
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8364 - Wp Custom Fields Search Plugin
The WP Custom Fields Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpcfs-preset shortcode in all versions up to, and including, 1.2.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Custom Fields Search
CVE-2024-8364
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8850 - Mailchimp Plugin
The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mailchimp
CVE-2024-8850
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-6641 - Wp Hardening Plugin
The WP Hardening – Fix Your WordPress Security plugin for WordPress is vulnerable to Security Feature Bypass in all versions up to, and including, 1.2.6. This is due to use of an incorrect regular expression within the "Stop User Enumeration" feature. This makes it possible for unauthenticated attackers to bypass intended security restrictions and expose site usernames.
PLUGIN
Wp Hardening
CVE-2024-6641
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8761 - Share This Image Plugin
The Share This Image plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.03. This is due to insufficient validation on the redirect url supplied via the link parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Share This Image
CVE-2024-8761
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8490 - Propertyhive Plugin
The PropertyHive plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.19. This is due to missing or incorrect nonce validation on the 'save_account_details' function. This makes it possible for unauthenticated attackers to edit the name, email address, and password of an administrator account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Propertyhive
CVE-2024-8490
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8093 - Posts Reminder Plugin
The Posts reminder WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Posts Reminder
CVE-2024-8093
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8091 - Enhanced Search Box Plugin
The Enhanced Search Box WordPress plugin through 0.6.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Enhanced Search Box
CVE-2024-8091
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-8047 - Visual Sound Plugin
The Visual Sound (old) WordPress plugin through 1.06 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Visual Sound
CVE-2024-8047
Risk Score
Threat Entry
Updated 2024-09-30
CVE-2024-8044 - Infolinks Ad Wrap Plugin
The infolinks Ad Wrap WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Infolinks Ad Wrap
CVE-2024-8044
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8052 - Review Ratings Plugin
The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Review Ratings
CVE-2024-8052
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8092 - Accordion Image Menu Plugin
The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Accordion Image Menu
CVE-2024-8092
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8051 - Special Feed Items Plugin
The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Special Feed Items
CVE-2024-8051
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8043 - Vikinghammer Tweet Plugin
The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Vikinghammer Tweet
CVE-2024-8043
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-5170 - Logo Manager For Enamad Plugin
The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Logo Manager For Enamad
CVE-2024-5170
Risk Score