Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-07
CVE-2024-6691 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6691
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-6692 - Easy Digital Downloads Plugin
The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Easy Digital Downloads
CVE-2024-6692
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6133 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6133
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6136 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Wp Cart For Digital Products
CVE-2024-6136
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-6134 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6134
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6158 - Category Posts Widget Plugin
The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings before outputting them back in a page/post where the Widget is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Category Posts Widget
CVE-2024-6158
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4359 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 5.7.2 via the SVG widget and a lack of sufficient file validation in the render_svg function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Element Pack
CVE-2024-4359
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4360 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes like 'title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-4360
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-7548 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter in all versions up to, and including, 4.2.6.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Learnpress
CVE-2024-7548
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-7150 - Slider Plugin
The Slider by 10Web – Responsive Image Slider plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.2.57 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Slider
CVE-2024-7150
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-6884 - Gutenberg Blocks With Ai By Kadence Wp Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Gutenberg Blocks With Ai By Kadence Wp
CVE-2024-6884
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-6824 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_title' functions in all versions up to, and including, 4.10.38. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary content and update post and page titles.
PLUGIN
Premium Addons For Elementor
CVE-2024-6824
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-5226 - Fuse Social Floating Sidebar Plugin
The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fuse Social Floating Sidebar
CVE-2024-5226
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-6481 - Before 2 Plugin
The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-6481
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-5668 - Foobox Plugin
The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foobox
CVE-2024-5668
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6869 - Falang Plugin
The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.3.52. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete translations and expose the administrator email address.
PLUGIN
Falang
CVE-2024-6869
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6987 - Orchid Store Plugin
The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Addonify Floating Cart For WooCommerce plugin if it is installed.
PLUGIN
Orchid Store
CVE-2024-6987
Risk Score
Threat Entry
Updated 2024-08-08
CVE-2024-6552 - Ameliabooking Plugin
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Symfony and leaving display_errors on within test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ameliabooking
CVE-2024-6552
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6254 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form submissions. This makes it possible for unauthenticated attackers to submit forms intended for public use as another user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. On sites where unfiltered_html is enabled, this can lead to the admin unknowingly adding a Stored Cross-Site Scripting…
PLUGIN
Brizy
CVE-2024-6254
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-7492 - Mainwp Child Plugin
The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the network_options_action() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
PLUGIN
Mainwp Child
CVE-2024-7492
Risk Score