Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-4102 - Elfsight Pricing Table Plugin
The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions like editing pricing tables.
PLUGIN
Elfsight Pricing Table
CVE-2024-4102
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4100 - Elfsight Pricing Table Plugin
The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it possible for unauthenticated attackers to perform a variety of actions related to managing pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Elfsight Pricing Table
CVE-2024-4100
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3608 - Product Designer Plugin
The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments.
PLUGIN
Product Designer
CVE-2024-3608
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3603 - Openstreetmap Plugin
The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Openstreetmap
CVE-2024-3603
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3563 - Genesis Blocks Plugin
The Genesis Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Sharing block in all versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Genesis Blocks
CVE-2024-3563
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3228 - Kiwi Plugin
The Social Sharing Plugin – Kiwi plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.7 via the 'kiwi-nw-pinterest' class. This makes it possible for unauthenticated attackers to view limited content from password protected posts.
PLUGIN
Kiwi
CVE-2024-3228
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6314 - Iq Testimonials Plugin
The IQ Testimonials plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process_image_upload' function in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can only be exploited if the 'gd' php extension is not loaded on the server.
PLUGIN
Iq Testimonials
CVE-2024-6314
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6321 - Scrollto Bottom Plugin
The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Scrollto Bottom
CVE-2024-6321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6320 - Scrollto Top Plugin
The ScrollTo Top plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.2.2. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Scrollto Top
CVE-2024-6320
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-6317 - Generate Pdf Using Contact Form 7 Plugin
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and the plugin not properly validating a file or its path prior to deleting it in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible via a forged request granted they can trick a site administrator into…
PLUGIN
Generate Pdf Using Contact Form 7
CVE-2024-6317
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-6316 - Generate Pdf Using Contact Form 7 Plugin
The Generate PDF using Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 4.0.6. This is due to missing nonce validation and missing file type validation in the 'wp_cf7_pdf_dashboard_html_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Generate Pdf Using Contact Form 7
CVE-2024-6316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6313 - Forms Gutenberg Plugin
The Gutenberg Forms plugin for WordPress is vulnerable to arbitrary file uploads due to the users can specify the allowed file types in the 'upload' function in versions up to, and including, 2.2.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Forms Gutenberg
CVE-2024-6313
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6310 - Advanced Ajax Page Loader Plugin
The Advanced AJAX Page Loader plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.7.7. This is due to missing nonce validation in the 'admin_init_AAPL' function and missing file type validation in the 'AAPL_options_validate' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Advanced Ajax Page Loader
CVE-2024-6310
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6309 - Attachment File Icons Plugin
The Attachment File Icons (AF Icons) plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.3. This is due to missing nonce validation in the 'afi_overview' function and missing file type validation in the 'upload_icons' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Attachment File Icons
CVE-2024-6309
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6161 - Default Thumbnail Plus Plugin
The Default Thumbnail Plus plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'get_cache_image' function in all versions up to, and including, 1.0.2.3. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Default Thumbnail Plus
CVE-2024-6161
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6180 - Eventon Lite Plugin
The EventON plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eventon_import_settings' ajax action in all versions up to, and including, 2.2.15. This makes it possible for unauthenticated attackers to update plugin settings, including adding stored cross-site scripting to settings options displayed on event calendar pages.
PLUGIN
Eventon Lite
CVE-2024-6180
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6123 - Bit Form Plugin
The Bit Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'iconUpload' function in all versions up to, and including, 2.13.3. This makes it possible for authenticated attackers, with administrator-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Bit Form
CVE-2024-6123
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5881 - Webico Slider Flatsome Addons Plugin
The Webico Slider Flatsome Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wbc_image shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Webico Slider Flatsome Addons
CVE-2024-5881
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-5488 - Before 7 Plugin
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
PLUGIN
Before 7
CVE-2024-5488
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-6334 - Easy Table Of Contents Plugin
The Easy Table of Contents WordPress plugin before 2.0.67.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Easy Table Of Contents
CVE-2024-6334
Risk Score