Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-26
CVE-2024-5870 - Tweaker5 Plugin
The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tweaker5
CVE-2024-5870
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-5869 - Neighborly Plugin
The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Neighborly
CVE-2024-5869
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5867 - Delicate Plugin
The Delicate theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter within the theme's Button shortcode in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Delicate
CVE-2024-5867
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5789 - Triton Lite Plugin
The Triton Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the theme's Button shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Triton Lite
CVE-2024-5789
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8742 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Filterable Gallery widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-8742
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8665 - Yith Custom Login Plugin
The YITH Custom Login plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Yith Custom Login
CVE-2024-8665
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8664 - Wp Test Email Plugin
The WP Test Email plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Test Email
CVE-2024-8664
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8663 - Wp Simple Booking Calendar Plugin
The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Simple Booking Calendar
CVE-2024-8663
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5567 - Betheme
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 27.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
THEME
Betheme
CVE-2024-5567
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2024-7888 - Classified Listing Plugin
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.
PLUGIN
Classified Listing
CVE-2024-7888
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2024-7129 - Appointment Booking Calendar Plugin
The Appointment Booking Calendar WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins
PLUGIN
Appointment Booking Calendar
CVE-2024-7129
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7863 - Before 2 Plugin
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server
PLUGIN
Before 2
CVE-2024-7863
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7864 - Before 2 Plugin
The Favicon Generator (CLOSED) WordPress plugin before 2.1 does not have CSRF and path validation in the output_sub_admin_page_0() function, allowing attackers to make logged in admins delete arbitrary files on the server
PLUGIN
Before 2
CVE-2024-7864
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-7133 - And Sticky Header For Any Plugin
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.3 does not validate and escape some of its settings before outputting them back in the page, which could allow users with a high role to perform Stored Cross-Site Scripting attacks.
PLUGIN
And Sticky Header For Any
CVE-2024-7133
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6850 - Carousel Slider Plugin
The Carousel Slider WordPress plugin before 2.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Carousel Slider
CVE-2024-6850
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6617 - Ninjateam Header Footer Custom Code Plugin
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Ninjateam Header Footer Custom Code
CVE-2024-6617
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6493 - Ninjateam Header Footer Custom Code Plugin
The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Ninjateam Header Footer Custom Code
CVE-2024-6493
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-6723 - Ai Engine Plugin
The AI Engine WordPress plugin before 2.4.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when viewing chatbot discussions.
PLUGIN
Ai Engine
CVE-2024-6723
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5628 - Avada Plugin
The Avada | Website Builder For WordPress & eCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusion_button shortcode in all versions up to, and including, 3.11.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in 3.11.9. Additional hardening for alternate attack vectors was added to version…
PLUGIN
Avada
CVE-2024-5628
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8656 - Wpfactory Helper Plugin
The WPFactory Helper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wpfactory Helper
CVE-2024-8656
Risk Score