Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-05
CVE-2024-7389 - Forminator Plugin
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.
PLUGIN
Forminator
CVE-2024-7389
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6567 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.8001. This is due to the plugin utilizing fpdi-protection and not preventing direct access to test files that have display_errors set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ebook Store
CVE-2024-6567
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-2455 - Element Pack Plugin
The Element Pack - Addon for Elementor Page Builder WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget wrapper link URL in all versions up to, and including, 7.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2024-2455
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-6346 - Comboblocks Plugin
The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the redirectURL parameter of the Date Countdown widget, in all versions up to, and including, 2.2.85a due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Comboblocks
CVE-2024-6346
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-7302 - Blog2social Plugin
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 3gp2 file uploads in all versions up to, and including, 7.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
PLUGIN
Blog2social
CVE-2024-7302
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5330 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the breakdance_css_file_paths_cache parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Breakdance
CVE-2024-5330
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5331 - Breakdance Plugin
The Breakdance plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 1.7.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to export form submissions.
PLUGIN
Breakdance
CVE-2024-5331
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-3983 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
PLUGIN
Woocommerce Customers Manager
CVE-2024-3983
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-6529 - Ultimate Classified Listings Plugin
The Ultimate Classified Listings WordPress plugin before 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Ultimate Classified Listings
CVE-2024-6529
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-6496 - Light Poll Plugin
The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks when deleting polls, which could allow attackers to make logged in users perform such action via a CSRF attack
PLUGIN
Light Poll
CVE-2024-6496
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-2843 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
PLUGIN
Woocommerce Customers Manager
CVE-2024-2843
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-4090 - And Sticky Header For Any Plugin
The Floating Notification Bar, Sticky Menu on Scroll, Announcement Banner, and Sticky Header for Any WordPress plugin before 2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
And Sticky Header For Any
CVE-2024-4090
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2024-2872 - Socialdriver Framework Plugin
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Socialdriver Framework
CVE-2024-2872
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-1747 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
PLUGIN
Woocommerce Customers Manager
CVE-2024-1747
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2090 - Remote Content Shortcode Plugin
The Remote Content Shortcode plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5 via the remote_content shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Remote Content Shortcode
CVE-2024-2090
Risk Score
Threat Entry
Updated 2024-11-23
CVE-2024-6698 - Fundengine Plugin
The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.
PLUGIN
Fundengine
CVE-2024-6698
Risk Score
Threat Entry
Updated 2024-11-23
CVE-2024-6687 - Ctt Expresso Para Woocommerce Plugin
The CTT Expresso para WooCommerce plugin for WordPress is vulnerable to sensitive information exposure in all versions up to and including 3.2.12 via the /wp-content/uploads/cepw directory. The generated .pdf and log files are publicly accessible and contain sensitive information such as sender and receiver names, phone numbers, physical addresses, and email addresses
PLUGIN
Ctt Expresso Para Woocommerce
CVE-2024-6687
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-6208 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_all_packages' shortcode in all versions up to, and including, 3.2.97 due to insufficient input sanitization and output escaping on the 'cols' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Download Manager
CVE-2024-6208
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-7135 - Tainacan Plugin
The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Tainacan
CVE-2024-7135
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-6725 - Formidable Forms Plugin
The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Formidable Forms
CVE-2024-6725
Risk Score