Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-02
CVE-2024-5032 - Before 4 Plugin
The SULly WordPress plugin before 4.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2024-5032
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-4217 - Shortcodes Ultimate Pro Plugin
The shortcodes-ultimate-pro WordPress plugin before 7.1.5 does not properly escape some of its shortcodes' settings, making it possible for attackers with a Contributor account to conduct Stored XSS attacks.
PLUGIN
Shortcodes Ultimate Pro
CVE-2024-4217
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-3710 - Image Photo Gallery Final Tiles Grid Plugin
The Image Photo Gallery Final Tiles Grid WordPress plugin before 3.6.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin
PLUGIN
Image Photo Gallery Final Tiles Grid
CVE-2024-3710
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3632 - Smart Image Gallery Plugin
The Smart Image Gallery WordPress plugin before 1.0.19 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Smart Image Gallery
CVE-2024-3632
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-3963 - Giveaways And Contests By Rafflepress Plugin
The Giveaways and Contests by RafflePress WordPress plugin before 1.12.14 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks
PLUGIN
Giveaways And Contests By Rafflepress
CVE-2024-3963
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-2870 - Socialdriver Framework Plugin
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Socialdriver Framework
CVE-2024-2870
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-3753 - Before 1 Plugin
The Hostel WordPress plugin before 1.1.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2024-3753
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-3026 - Wordpress Button Plugin Maxbuttons
The WordPress Button Plugin MaxButtons WordPress plugin before 9.7.8 does not sanitise and escape some parameters, which could allow users with a role as low as editor to perform Cross-Site Scripting attacks
PLUGIN
Wordpress Button Plugin Maxbuttons
CVE-2024-3026
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-3751 - Seriously Simple Podcasting Plugin
The Seriously Simple Podcasting WordPress plugin before 3.3.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Seriously Simple Podcasting
CVE-2024-3751
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-3919 - Openpgp Form Encryption For Plugin
The OpenPGP Form Encryption for WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Openpgp Form Encryption For
CVE-2024-3919
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-5902 - Userfeedback Plugin
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in feedback form responses that will execute whenever a high-privileged user tries to view them.
PLUGIN
Userfeedback
CVE-2024-5902
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-38704 - WordPress Core
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DynamicWebLab WordPress Team Manager allows PHP Local File Inclusion.This issue affects WordPress Team Manager: from n/a through 2.1.12.
CORE
WordPress Core
CVE-2024-38704
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-37941 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in Internal Link Juicer Internal Link Juicer: SEO Auto Linker for WordPress.This issue affects Internal Link Juicer: SEO Auto Linker for WordPress: from n/a through 2.24.3.
CORE
WordPress Core
CVE-2024-37941
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-5325 - Form Vibes Plugin
The Form Vibes plugin for WordPress is vulnerable to SQL Injection via the ‘fv_export_data’ parameter in all versions up to, and including, 1.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Form Vibes
CVE-2024-5325
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-6495 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text widget in all versions up to, and including, 4.10.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Premium Addons For Elementor
CVE-2024-6495
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-6328 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient verification on the 'phone' parameter of the 'firebase_sms_login' and 'firebase_sms_login_v2' functions. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email address or phone number. Additionally, if a new email address is supplied, a new user account is…
PLUGIN
Mstore Api
CVE-2024-6328
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-6353 - Terawallet Plugin
The Wallet for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'search[value]' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Terawallet
CVE-2024-6353
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6625 - Complete Branding Solution For Wordpress Plugin
The WP Total Branding – Complete branding solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Complete Branding Solution For Wordpress
CVE-2024-6625
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6588 - Powerpress Podcasting Plugin By Blubrry
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘media_url’ parameter in all versions up to, and including, 11.9.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Powerpress Podcasting Plugin By Blubrry
CVE-2024-6588
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2024-6024 - Contentlock Plugin
The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when deleting groups or emails, which could allow attackers to make a logged in admin remove them via a CSRF attack
PLUGIN
Contentlock
CVE-2024-6024
Risk Score