Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-11
CVE-2024-6894 - Rd Station Plugin
The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post metaboxes added by the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rd Station
CVE-2024-6894
Risk Score
Threat Entry
Updated 2024-09-12
CVE-2024-6332 - Amelia Plugin
The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version.
PLUGIN
Amelia
CVE-2024-6332
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-8363 - Share This Image Plugin
The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STI Buttons shortcode in all versions up to, and including, 2.02 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Share This Image
CVE-2024-8363
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-5309 - Form Vibes Plugin
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the fv_export_csv, reset_settings, save_settings, save_columns_settings, get_analytics_data, get_event_logs_data, delete_submissions, and get_submissions functions in all versions up to, and including, 1.4.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform multiple unauthorized actions. NOTE: This vulnerability is partially fixed in version 1.4.12.
PLUGIN
Form Vibes
CVE-2024-5309
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-6835 - Ivory Search Plugin
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.5.6 via the ajax_load_posts function. This makes it possible for unauthenticated attackers to extract text data from password-protected posts using the boolean-based attack on the AJAX search form
PLUGIN
Ivory Search
CVE-2024-6835
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-6846 - Chatbot With Chatgpt Plugin
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not validate access on some REST routes, allowing for an unauthenticated user to purge error and chat logs
PLUGIN
Chatbot With Chatgpt
CVE-2024-6846
Risk Score
Threat Entry
Updated 2024-09-11
CVE-2024-7627 - File Manager Plugin
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions.
PLUGIN
File Manager
CVE-2024-7627
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8289 - Multivendorx Plugin
The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to privilege escalation/de-escalation and account takeover due to an insufficient capability check on the update_item_permissions_check and create_item_permissions_check functions in all versions up to, and including, 4.2.0. This makes it possible for unauthenticated attackers to change the password of any user with the vendor role, create new users with the vendor role, and demote other users like administrators to the vendor role.
PLUGIN
Multivendorx
CVE-2024-8289
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-7870 - Pixelyoursite Plugin
The PixelYourSite – Your smart PIXEL (TAG) & API Manager and the PixelYourSite PRO plugins for WordPress are vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.7.1 and 10.4.2, respectively, through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, and to delete log files.
PLUGIN
Pixelyoursite
CVE-2024-7870
Risk Score
Threat Entry
Updated 2024-10-05
CVE-2024-8318 - Attributes For Blocks Plugin
The Attributes for Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘attributesForBlocks’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Attributes For Blocks
CVE-2024-8318
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8123 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.0.8 via the duplicate_post function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate posts written by other authors including admins. This includes the ability to duplicate password-protected posts, which reveals their contents.
PLUGIN
Wp Extended
CVE-2024-8123
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8106 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.8 via the download_user_ajax function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including usernames, hashed passwords, and emails.
PLUGIN
Wp Extended
CVE-2024-8106
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8119 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Extended
CVE-2024-8119
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8117 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘selected_option’ parameter in all versions up to, and including, 3.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Extended
CVE-2024-8117
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-8121 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of user names due to a missing capability check on the wpext_change_admin_name() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change an admin's username to a username of their liking as long as the default 'admin' was used.
PLUGIN
Wp Extended
CVE-2024-8121
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8104 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.0.8 via the download_file_ajax function. This makes it possible for authenticated attackers, with subscriber access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp Extended
CVE-2024-8104
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-8102 - Wp Extended Plugin
The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the module_all_toggle_ajax() function in all versions up to, and including, 3.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Wp Extended
CVE-2024-8102
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6926 - Viral Signup Plugin
The Viral Signup WordPress plugin through 2.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Viral Signup
CVE-2024-6926
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-8325 - Blockspare Plugin
The Blockspare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the ‘blockspare_render_social_sharing_block’ function in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blockspare
CVE-2024-8325
Risk Score
Threat Entry
Updated 2024-10-07
CVE-2024-6020 - Sign Up Sheets Plugin
The Sign-up Sheets WordPress plugin before 2.2.13 does not escape some generated URLs, as well as the $_SERVER['REQUEST_URI'] parameter before outputting them back in attributes, which could lead to Reflected Cross-Site Scripting.
PLUGIN
Sign Up Sheets
CVE-2024-6020
Risk Score