Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-07-31
CVE-2024-2508 - Wp Mobile Menu Plugin
The WP Mobile Menu plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_menu_item_icon function in all versions up to, and including, 2.8.4.4. This makes it possible for unauthenticated attackers to add the '_mobmenu_icon' post meta to arbitrary posts with an arbitrary (but sanitized) value. NOTE: Version 2.8.4.4 contains a partial fix for this vulnerability.
PLUGIN
Wp Mobile Menu
CVE-2024-2508
Risk Score
Threat Entry
Updated 2024-07-31
CVE-2024-6770 - V Form Plugin
The Lifetime free Drag & Drop Contact Form Builder for WordPress VForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
V Form
CVE-2024-6770
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2024-6412 - Before 1 Plugin
The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Before 1
CVE-2024-6412
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-6272 - Spidercontacts Plugin
The SpiderContacts WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Spidercontacts
CVE-2024-6272
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-6408 - Slider By 10web Plugin
The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Slider By 10web
CVE-2024-6408
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2024-6165 - Before 2 Plugin
The WANotifier WordPress plugin before 2.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2024-6165
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-5901 - Siteorigin Widgets Bundle Plugin
The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget in all versions up to, and including, 1.62.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Siteorigin Widgets Bundle
CVE-2024-5901
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2024-7100 - Bold Page Builder Plugin
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_button shortcode in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Page Builder
CVE-2024-7100
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-6536 - Zephyr Project Manager Plugin
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Zephyr Project Manager
CVE-2024-6536
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-5975 - Cz Loan Management Plugin
The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Cz Loan Management
CVE-2024-5975
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-6021 - Donation Block For Paypal Plugin
The Donation Block For PayPal WordPress plugin through 2.1.0 does not sanitise and escape form submissions, leading to a stored cross-site scripting vulnerability
PLUGIN
Donation Block For Paypal
CVE-2024-6021
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2024-6230 - Pardakht Delkhah Plugin
The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Pardakht Delkhah
CVE-2024-6230
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2024-6226 - Wpstickybar Plugin
The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wpstickybar
CVE-2024-6226
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-6223 - Send Email Only On Reply To My Comment Plugin
The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Send Email Only On Reply To My Comment
CVE-2024-6223
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-5809 - Wp Ajax Contact Form Plugin
The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users
PLUGIN
Wp Ajax Contact Form
CVE-2024-5809
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-6224 - Send Email Only On Reply To My Comment Plugin
The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Send Email Only On Reply To My Comment
CVE-2024-6224
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-5808 - Wp Ajax Contact Form Plugin
The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF attack
PLUGIN
Wp Ajax Contact Form
CVE-2024-5808
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2024-5765 - Wpstickybar Plugin
The WpStickyBar WordPress plugin through 2.1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
PLUGIN
Wpstickybar
CVE-2024-5765
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-5807 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not prevent high privilege users like administrators from uploading malicious PHP files, which could allow them to run arbitrary code on servers hosting their site, even in MultiSite configurations.
PLUGIN
Business Card
CVE-2024-5807
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-3669 - Web Directory Free Plugin
The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Web Directory Free
CVE-2024-3669
Risk Score