Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-26
CVE-2024-3163 - Easy Property Listings Plugin
The Easy Property Listings WordPress plugin before 3.5.4 does not have CSRF check when deleting contacts in bulk, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Easy Property Listings
CVE-2024-3163
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-5416 - Website Builder Plugin
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2.
PLUGIN
Website Builder
CVE-2024-5416
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8277 - Woocommerce Photo Reviews Plugin
The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a…
PLUGIN
Woocommerce Photo Reviews
CVE-2024-8277
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8045 - Advanced Wordpress Backgrounds Plugin
The Advanced WordPress Backgrounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘imageTag’ parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Wordpress Backgrounds
CVE-2024-8045
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-7626 - Wp Delicious Plugin
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain…
PLUGIN
Wp Delicious
CVE-2024-7626
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8440 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Fancy Text widget in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-8440
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-7716 - Before 3 Plugin
The Logo Slider WordPress plugin before 3.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7716
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-3899 - Gallery Plugin For Wordpress
The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does not sanitise and escape some of its image settings, which could allow users with post-writing privilege such as Author to perform Cross-Site Scripting attacks.
PLUGIN
Gallery Plugin For Wordpress
CVE-2024-3899
Risk Score
Threat Entry
Updated 2024-09-18
CVE-2024-7727 - Html5 Video Player Plugin
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions called via the 'h5vp_ajax_handler' ajax action in all versions up to, and including, 2.5.32. This makes it possible for unauthenticated attackers to call these functions to manipulate data.
PLUGIN
Html5 Video Player
CVE-2024-7727
Risk Score
Threat Entry
Updated 2024-09-18
CVE-2024-7721 - Html5 Video Player Plugin
The HTML5 Video Player – mp4 Video Player Plugin and Block plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_password' function in all versions up to, and including, 2.5.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set any options that are not explicitly checked as false to an array, including enabling user registration if it has been disabled.
PLUGIN
Html5 Video Player
CVE-2024-7721
Risk Score
Threat Entry
Updated 2024-09-25
CVE-2024-8253 - Post Grid Plugin
The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in all versions 2.2.87 to 2.2.90. This is due to the plugin not properly restricting what user meta values can be updated and ensuring a form is active. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta to become an administrator.
PLUGIN
Post Grid
CVE-2024-8253
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-6282 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link.
PLUGIN
Master Addons
CVE-2024-6282
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8369 - Eventprime Plugin
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events.
PLUGIN
Eventprime
CVE-2024-8369
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-7770 - File Manager Plugin
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
File Manager
CVE-2024-7770
Risk Score
Threat Entry
Updated 2024-09-27
CVE-2024-8543 - Slider Comparison Image Before And After Plugin
The Slider comparison image before and after plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [sciba] shortcode in all versions up to, and including, 0.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slider Comparison Image Before And After
CVE-2024-8543
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2024-8241 - Nova Blocks Plugin
The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' attribute of the 'wp:separator' Gutenberg block in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nova Blocks
CVE-2024-8241
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2023-2919 - Tutor Plugin
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tutor
CVE-2023-2919
Risk Score
Threat Entry
Updated 2024-09-19
CVE-2024-7655 - Peepso Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Peepso
CVE-2024-7655
Risk Score
Threat Entry
Updated 2024-09-19
CVE-2024-7618 - Peepso Plugin
The Community by PeepSo – Social Network, Membership, Registration, User Profiles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 6.4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Peepso
CVE-2024-7618
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-7955 - Before 3 Plugin
The Starbox WordPress plugin before 3.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-7955
Risk Score