Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-5946 - Squelch Tabs And Accordions Shortcodes Plugin
The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tab’ shortcode in all versions up to, and including, 0.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Squelch Tabs And Accordions Shortcodes
CVE-2024-5946
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-4862 - Wpbits Addons For Elementor Page Builder Plugin
The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbits Addons For Elementor Page Builder
CVE-2024-4862
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-37430 - WordPress Core
Authentication Bypass by Spoofing vulnerability in Patreon Patreon WordPress allows Functionality Misuse.This issue affects Patreon WordPress: from n/a through 1.9.0.
CORE
WordPress Core
CVE-2024-37430
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6069 - Pie Register Plugin
The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation/deactivation due to missing capability checks on the pieregister_install_addon, pieregister_activate_addon and pieregister_deactivate_addon functions in all versions up to, and including, 3.8.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install, activate and deactivate arbitrary plugins. As a result attackers might achieve code execution on the targeted server
PLUGIN
Pie Register
CVE-2024-6069
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6168 - Just Custom Fields Plugin
The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on several AJAX function. This makes it possible for unauthenticated attackers to invoke this functionality intended for admin users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This enables subscribers to manage field groups, change visibility of items among other things.
PLUGIN
Just Custom Fields
CVE-2024-6168
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6167 - Just Custom Fields Plugin
The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke this functionality intended for admin users. This enables subscribers to manage field groups, change visibility of items among other things.
PLUGIN
Just Custom Fields
CVE-2024-6167
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5992 - Cliengo Plugin
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_chatbot_token' and 'update_chatbot_position' functions in all versions up to, and including, 3.0.1. This makes it possible for unauthenticated attackers to change chatbot settings, which can lead to unavailability or other changes to the chatbot.
PLUGIN
Cliengo
CVE-2024-5992
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5937 - Simple Alert Boxes Plugin
The Simple Alert Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Alert Boxes
CVE-2024-5937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5993 - Cliengo Plugin
The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_session' function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the session token of the chatbot.
PLUGIN
Cliengo
CVE-2024-5993
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5856 - Comment Images Reloaded Plugin
The Comment Images Reloaded plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the cir_delete_image AJAX action in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary media attachments.
PLUGIN
Comment Images Reloaded
CVE-2024-5856
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5669 - Faq For Woocommerce Plugin
The XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ffw_activate_template' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store cross-site scripting that will trigger when viewing the dashboard templates or accessing FAQs.
PLUGIN
Faq For Woocommerce
CVE-2024-5669
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5648 - Wisdm Reports For Learndash Plugin
The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings.
PLUGIN
Wisdm Reports For Learndash
CVE-2024-5648
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5810 - Optimize Pagespeed Insights Score 90 100 Plugin
The WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.1. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to overwrite CSS, update the trial settings, purge the cache, and find attachments.
PLUGIN
Optimize Pagespeed Insights Score 90 100
CVE-2024-5810
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5704 - Faq For Woocommerce Plugin
The XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add new and update existing FAQs, FAQ lists, and modify FAQ associations with products.
PLUGIN
Faq For Woocommerce
CVE-2024-5704
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5456 - Panda Video Plugin
The Panda Video plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.0 via the 'selected_button' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Panda Video
CVE-2024-5456
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5479 - Easy Pixels By Jevnet Plugin
The Easy Pixels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Pixels By Jevnet
CVE-2024-5479
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5457 - Panda Video Plugin
The Panda Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Panda Video
CVE-2024-5457
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-4868 - Extensions For Elementor Plugin
The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's EE Events and EE Flipbox widgets in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Extensions For Elementor
CVE-2024-4868
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5600 - Happy Scss Compiler Plugin
The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts.
PLUGIN
Happy Scss Compiler
CVE-2024-5600
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3604 - Openstreetmap Plugin
The OSM – OpenStreetMap plugin for WordPress is vulnerable to SQL Injection via the 'tagged_filter' attribute of the 'osm_map_v3' shortcode in all versions up to, and including, 6.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Openstreetmap
CVE-2024-3604
Risk Score