Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-13
CVE-2024-5802 - Url Shortener Plugin
The URL Shortener by Myhop WordPress plugin through 1.0.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Url Shortener
CVE-2024-5802
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5441 - Modern Events Calendar Lite Plugin
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.
PLUGIN
Modern Events Calendar Lite
CVE-2024-5441
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3410 - Dn Footer Contacts Plugin
The DN Footer Contacts WordPress plugin before 1.6.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Dn Footer Contacts
CVE-2024-3410
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6171 - Unlimited Elements For Elementor Free Widgets Addons Templates Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 1.5.112 due to insufficient IP address validation and/or use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers to bypass antispam functionality in the Form Builder widgets.
PLUGIN
Unlimited Elements For Elementor Free Widgets Addons Templates
CVE-2024-6171
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6166 - Unlimited Elements For Elementor Free Widgets Addons Templates Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘addons_order’ parameter in all versions up to, and including, 1.5.112 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above and granted plugin setting edit permissions by an administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Unlimited Elements For Elementor Free Widgets Addons Templates
CVE-2024-6166
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6170 - Unlimited Elements For Elementor Free Widgets Addons Templates Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘email’ parameter in all versions up to, and including, 1.5.112 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unlimited Elements For Elementor Free Widgets Addons Templates
CVE-2024-6170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6169 - Unlimited Elements For Elementor Free Widgets Addons Templates Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.5.112 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above and granted plugin setting edit permissions by an administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unlimited Elements For Elementor Free Widgets Addons Templates
CVE-2024-6169
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4667 - Blog Posts And Category For Elementor Plugin
The Blog, Posts and Category Filter for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post and Category Filter widget in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied 'post_types' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blog Posts And Category For Elementor
CVE-2024-4667
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6365 - Product Table By Wbw Plugin
The Product Table by WBW plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'saveCustomTitle' function. This is due to missing authorization and lack of sanitization of appended data in the languages/customTitle.php file. This makes it possible for unauthenticated attackers to execute code on the server.
PLUGIN
Product Table By Wbw
CVE-2024-6365
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5793 - Houzez Theme Functionality Plugin
The Houzez Theme - Functionality plugin for WordPress is vulnerable to SQL Injection via the ‘currency_code’ parameter in all versions up to, and including, 3.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Houzez Theme Functionality
CVE-2024-5793
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5855 - WordPress Core
The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added.
CORE
WordPress Core
CVE-2024-5855
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5943 - Nested Pages Plugin
The Nested Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.7. This is due to missing or incorrect nonce validation on the 'settingsPage' function and missing santization of the 'tab' parameter. This makes it possible for unauthenticated attackers to call local php files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Nested Pages
CVE-2024-5943
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6319 - Imgspider Plugin
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Imgspider
CVE-2024-6319
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6434 - Premium Addons For Elementor Plugin
The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.
PLUGIN
Premium Addons For Elementor
CVE-2024-6434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6318 - Imgspider Plugin
The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_img_file' function in all versions up to, and including, 2.3.10. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Imgspider
CVE-2024-6318
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5641 - One Click Order Re Order Plugin
The One Click Order Re-Order plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ced_ocor_save_general_setting' function in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the plugin settings, including adding stored cross-site scripting.
PLUGIN
One Click Order Re Order
CVE-2024-5641
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3639 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Posts Grid widget in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Elementor
CVE-2024-3639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3638 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Elementor
CVE-2024-3638
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2385 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.3.7 via several of the plugin's widgets through the 'style' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded…
PLUGIN
Addons For Elementor
CVE-2024-2385
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2926 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 8.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Elementor
CVE-2024-2926
Risk Score