Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5254 - Ultimate Addons For Wpbakery Page Builder Plugin
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_banner shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Wpbakery Page Builder
CVE-2024-5254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5253 - Ultimate Addons For Wpbakery Page Builder Plugin
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ult_team shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Wpbakery Page Builder
CVE-2024-5253
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5252 - Ultimate Addons For Wpbakery Page Builder Plugin
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_info_table shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Wpbakery Page Builder
CVE-2024-5252
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5251 - Ultimate Addons For Wpbakery Page Builder Plugin
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ultimate_pricing shortcode in all versions up to, and including, 3.19.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Wpbakery Page Builder
CVE-2024-5251
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-6457 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘woof_author’ parameter in all versions up to, and including, 1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2024-6457
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6621 - Rss Aggregator Plugin
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds.
PLUGIN
Rss Aggregator
CVE-2024-6621
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6579 - Vc Addons By Bit14 Plugin
The Web and WooCommerce Addons for WPBakery Builder plugin for WordPress is vulnerable to unauthorized plugin settings modification due to a missing capability check on several plugin functions in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change some of the plugin settings.
PLUGIN
Vc Addons By Bit14
CVE-2024-6579
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6570 - Glossary Plugin
The Glossary plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.2.26. This is due the plugin utilizing wpdesk and not preventing direct access to the test files along with display_errors being enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Glossary
CVE-2024-6570
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6565 - Aforms Form Builder For Price Calculator Cost Estimation Plugin
The AForms — Form Builder for Price Calculator & Cost Estimation plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.2.6. This is due to the plugin utilizing the aura library and allowing direct access to the phpunit test files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to…
PLUGIN
Aforms Form Builder For Price Calculator Cost Estimation
CVE-2024-6565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5852 - Wordpress File Upload Plugin
The WordPress File Upload plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.24.7 via the 'uploadpath' parameter of the wordpress_file_upload shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files to arbitrary locations on the web server.
PLUGIN
Wordpress File Upload
CVE-2024-5852
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1937 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor access and above, to modify the content of arbitrary published posts, which includes the ability to insert malicious JavaScript.
PLUGIN
Brizy
CVE-2024-1937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3587 - Auxinportfolio Plugin
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Portfolios Widget in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Auxinportfolio
CVE-2024-3587
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2691 - Wp Event Manager Plugin
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events' shortcode in all versions up to, and including, 3.1.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Event Manager
CVE-2024-2691
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6559 - Restore And Migrate Wordpress Sites With The Xcloner Plugin
The Backup, Restore and Migrate WordPress Sites With the XCloner Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.7.3. This is due the plugin utilizing sabre without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Restore And Migrate Wordpress Sites With The Xcloner
CVE-2024-6559
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4780 - Elementor Addon Plugin
The Image Hover Effects – Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eihe_link’ parameter in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Addon
CVE-2024-4780
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6557 - Wp Scheduled Posts Plugin
The SchedulePress – Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.1.3. This is due the plugin utilizing the wpdeveloper library and leaving the demo files in place with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and…
PLUGIN
Wp Scheduled Posts
CVE-2024-6557
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6075 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Wp Cart For Digital Products
CVE-2024-6075
Risk Score
Threat Entry
Updated 2025-03-17
CVE-2024-6289 - Wps Hide Login Plugin
The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
PLUGIN
Wps Hide Login
CVE-2024-6289
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6076 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6076
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6074 - Wp Cart For Digital Products Plugin
The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Cart For Digital Products
CVE-2024-6074
Risk Score