Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-09-13
CVE-2024-7144 - Jetelements Plugin
The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'slide_id' parameters in all versions up to, and including, 2.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetelements
CVE-2024-7144
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7146 - Jettabs For Elementor Plugin
The JetTabs for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.3 via the 'switcher_preset' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Jettabs For Elementor
CVE-2024-7146
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7147 - Jetblocks For Elementor Plugin
The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetblocks For Elementor
CVE-2024-7147
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7136 - Jetsearch Plugin
The JetSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetsearch
CVE-2024-7136
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7501 - Download Plugins And Themes In Zip From Dashboard
The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.
PLUGIN
Download Plugins And Themes In Zip From Dashboard
CVE-2024-7501
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6460 - Grow Plugin
The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Grow
CVE-2024-6460
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-7301 - Wordpress File Upload Plugin
The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.24.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wordpress File Upload
CVE-2024-7301
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2024-7422 - Theme My Login Plugin
The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_save_ms_settings() function. This makes it possible for unauthenticated attackers to update the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note that this only affects multi-site instances.
PLUGIN
Theme My Login
CVE-2024-7422
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-7630 - Relevanssi Plugin
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts.
PLUGIN
Relevanssi
CVE-2024-7630
Risk Score
Threat Entry
Updated 2024-08-19
CVE-2023-7049 - Custom Field For Wp Job Manager Plugin
The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cm_fieldshow' shortcode due to missing validation on the 'job_id' user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata.
PLUGIN
Custom Field For Wp Job Manager
CVE-2023-7049
Risk Score
Threat Entry
Updated 2024-08-15
CVE-2024-7411 - Newsletters Lite Plugin
The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the /vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Newsletters Lite
CVE-2024-7411
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-7064 - Elementskit Plugin
The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit
CVE-2024-7064
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-7063 - Elementskit Plugin
The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow authenticated attackers, with Contributor-level permissions and above, to extract sensitive data including private, future, and draft posts.
PLUGIN
Elementskit
CVE-2024-7063
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-7628 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose comparison in the 'verify_id_token' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to an @flutter.io email address or phone number. This also requires firebase to be configured on the website and the user to have set…
PLUGIN
Mstore Api
CVE-2024-7628
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7624 - Zephyr Project Manager Plugin
The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.
PLUGIN
Zephyr Project Manager
CVE-2024-7624
Risk Score
Threat Entry
Updated 2024-09-13
CVE-2024-7420 - Insert Php Code Snippet Plugin
The Insert PHP Code Snippet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation in the /admin/snippets.php file. This makes it possible for unauthenticated attackers to activate/deactivate and delete code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Insert Php Code Snippet
CVE-2024-7420
Risk Score
Threat Entry
Updated 2024-08-14
CVE-2024-6532 - Sheet To Table Live Sync For Google Sheet Plugin
The Sheet to Table Live Sync for Google Sheet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STWT_Sheet_Table shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sheet To Table Live Sync For Google Sheet
CVE-2024-6532
Risk Score
Threat Entry
Updated 2024-08-14
CVE-2024-4389 - Slider And Carousel Slider By Depicter Plugin
The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadFile function in all versions up to, and including, 3.1.1. This makes it possible for authenticated attackers, with contributor access or higher, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Slider And Carousel Slider By Depicter
CVE-2024-4389
Risk Score
Threat Entry
Updated 2024-08-14
CVE-2024-7588 - Comboblocks Plugin
The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion block in all versions up to, and including, 2.2.87 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Comboblocks
CVE-2024-7588
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6823 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions up to, and including, 3.18. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Media Library Assistant
CVE-2024-6823
Risk Score