Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-07
CVE-2024-7484 - Crm Perks Forms Plugin
The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Crm Perks Forms
CVE-2024-7484
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-41816 - Cooked Plugin
Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. This issue has been addressed in release version 1.8.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
PLUGIN
Cooked
CVE-2024-41816
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-5081 - Wp Emember Plugin
The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Wp Emember
CVE-2024-5081
Risk Score
Threat Entry
Updated 2024-09-05
CVE-2024-6710 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2024-6710
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-3636 - Pinpoint Booking System Plugin
The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Pinpoint Booking System
CVE-2024-3636
Risk Score
Threat Entry
Updated 2024-09-06
CVE-2024-6498 - Before 2 Plugin
The Chatbot for WordPress by Collect.chat ⚡️ WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 2
CVE-2024-6498
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-6270 - Community Events Plugin
The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Community Events
CVE-2024-6270
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6872 - Templatespare Plugin
The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'templatespare_activate_required_theme' and 'templatespare_get_theme_status' functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate any installed theme and read any theme status. If the attacker attempts to activate a theme that is not installed, a…
PLUGIN
Templatespare
CVE-2024-6872
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6709 - Sync Post With Other Site Plugin
The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new draft posts and update existing posts.
PLUGIN
Sync Post With Other Site
CVE-2024-6709
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-7356 - Zephyr Project Manager Plugin
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zephyr Project Manager
CVE-2024-7356
Risk Score
Threat Entry
Updated 2024-08-05
CVE-2024-7257 - Woocommerce Extra Product Options Plugin
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Extra Product Options
CVE-2024-7257
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-7031 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.
PLUGIN
Filester
CVE-2024-7031
Risk Score
Threat Entry
Updated 2024-08-05
CVE-2024-7291 - Jetformbuilder Plugin
The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.
PLUGIN
Jetformbuilder
CVE-2024-7291
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2024-6477 - Before 1 Plugin
The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address
PLUGIN
Before 1
CVE-2024-6477
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2024-6390 - Before 9 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 9
CVE-2024-6390
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6704 - Wpdiscuz Plugin
The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it possible for unauthenticated attackers to add HTML such as hyperlinks to comments when rich editing is disabled.
PLUGIN
Wpdiscuz
CVE-2024-6704
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-4643 - Element Pack Plugin
The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘end_redirect_link’ parameter in versions up to, and including, 5.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-4643
Risk Score
Threat Entry
Updated 2024-08-02
CVE-2024-3238 - Superfly Responsive Menu Plugin
The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to missing or incorrect nonce validation on the ajax_handle_delete_icons() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please not the CSRF was patched in 5.0.28, however, adequate directory traversal protection wasn't introduced until 5.0.30.
PLUGIN
Superfly Responsive Menu
CVE-2024-3238
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-5595 - Essential Blocks Plugin
The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Essential Blocks
CVE-2024-5595
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-3827 - Spectra Plugin
The Spectra Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block ids in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra
CVE-2024-3827
Risk Score