Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-19
CVE-2024-4899 - Before 7 Plugin
The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 7
CVE-2024-4899
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5596 - Armember Premium Plugin
The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation.
PLUGIN
Armember Premium
CVE-2024-5596
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3593 - Ubermenu Plugin
The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated attackers to delete and reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ubermenu
CVE-2024-3593
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4874 - Bricks Plugin
The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type.
PLUGIN
Bricks
CVE-2024-4874
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5966 - Grey Opaque Plugin
The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Grey Opaque
CVE-2024-5966
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5965 - Mosaic Plugin
The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mosaic
CVE-2024-5965
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-5791 - Online Booking Scheduling Calendar Plugin
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-5791
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5346 - Flatsome Plugin
The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Flatsome
CVE-2024-5346
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4313 - Table Addons For Elementor Plugin
The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Table Addons For Elementor
CVE-2024-4313
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2484 - Orbit Fox Plugin
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Orbit Fox
CVE-2024-2484
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6120 - Sparkle Demo Importer Plugin
The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.
PLUGIN
Sparkle Demo Importer
CVE-2024-6120
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-35770 - Vimeography Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin.This issue affects Vimeography: Vimeo Video Gallery WordPress Plugin: from n/a through 2.4.1.
PLUGIN
Vimeography
CVE-2024-35770
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2024-35761 - Online Booking Scheduling Calendar Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.0.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-35761
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6027 - Product Filter Plugin
The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Product Filter
CVE-2024-6027
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-5859 - Online Booking Scheduling Calendar Plugin
The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Online Booking Scheduling Calendar
CVE-2024-5859
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-6225 - Amelia Plugin
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Amelia
CVE-2024-6225
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5945 - Wp Svg Images Plugin
The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have permissions to upload sanitized files, to bypass SVG sanitization and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Svg Images
CVE-2024-5945
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5191 - Branda Plugin
The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Branda
CVE-2024-5191
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5639 - User Profile Picture Plugin
The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.
PLUGIN
User Profile Picture
CVE-2024-5639
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-4382 - Commonsbooking Plugin
The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks
PLUGIN
Commonsbooking
CVE-2024-4382
Risk Score