Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-19
CVE-2024-5071 - Bookster Plugin
The Bookster WordPress plugin through 1.1.0 allows adding sensitive parameters when validating appointments allowing attackers to manipulate the data sent when booking an appointment (the request body) to change its status from pending to approved.
PLUGIN
Bookster
CVE-2024-5071
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5332 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Card widget in all versions up to, and including, 2.6.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2024-5332
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5199 - Spotify Play Button Plugin
The Spotify Play Button WordPress plugin through 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Spotify Play Button
CVE-2024-5199
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5169 - Video Widget Plugin
The Video Widget WordPress plugin through 1.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Video Widget
CVE-2024-5169
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-4959 - Frontend Checklist Plugin
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Frontend Checklist
CVE-2024-4959
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-4957 - Frontend Checklist Plugin
The Frontend Checklist WordPress plugin through 2.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Frontend Checklist
CVE-2024-4957
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-3633 - Webp Svg Support Plugin
The WebP & SVG Support WordPress plugin through 1.4.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Webp Svg Support
CVE-2024-3633
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-5173 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ht Mega
CVE-2024-5173
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-4869 - Wp Cookie Consent Plugin
The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Cookie Consent
CVE-2024-4869
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5451 - Website And Ecommerce Builder For Wordpress Theme
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Website And Ecommerce Builder For Wordpress
CVE-2024-5451
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32111 - WordPress Core
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25,…
CORE
WordPress Core
CVE-2024-32111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31111 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
CORE
WordPress Core
CVE-2024-31111
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6307 - WordPress Core
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CORE
WordPress Core
CVE-2024-6307
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2024-6028 - Quiz Maker Plugin
The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Quiz Maker
CVE-2024-6028
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3249 - Zita Elementor Site Library Plugin
The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages, update certain options, including WooCommerce page titles and Elementor settings, import widgets, and update the plugin's customizer settings and the WordPress custom CSS. NOTE: This vulnerability was partially fixed in version 1.6.2.
PLUGIN
Zita Elementor Site Library
CVE-2024-3249
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-5431 - Wpcafe Plugin
The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25 via the reservation_extra_field shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially resulting in code execution
PLUGIN
Wpcafe
CVE-2024-5431
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4757 - Logo Manager For Enamad Plugin
The Logo Manager For Enamad WordPress plugin through 0.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Logo Manager For Enamad
CVE-2024-4757
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4759 - Mime Types Extended Plugin
The Mime Types Extended WordPress plugin through 0.11 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Mime Types Extended
CVE-2024-4759
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6297 - Blaze Widget Plugin
Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. Currently, not all plugins have been patched and we strongly recommend uninstalling the plugins for the time being and running a complete malware scan.
PLUGIN
Blaze Widget
CVE-2024-6297
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4900 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post
PLUGIN
Before 7
CVE-2024-4900
Risk Score