Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-4616 - Widget Bundle Plugin
The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users
PLUGIN
Widget Bundle
CVE-2024-4616
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5448 - Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode Plugin
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode
CVE-2024-5448
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4477 - Wp Logs Book Plugin
The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting
PLUGIN
Wp Logs Book
CVE-2024-4477
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5447 - Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode Plugin
The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode
CVE-2024-5447
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2024-4970 - Widget Bundle Plugin
The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Widget Bundle
CVE-2024-4970
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4755 - Google Cse Plugin
The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Google Cse
CVE-2024-4755
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4384 - Cssable Countdown Plugin
The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Cssable Countdown
CVE-2024-4384
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4969 - Widget Bundle Plugin
The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF attack
PLUGIN
Widget Bundle
CVE-2024-4969
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4475 - Wp Logs Book Plugin
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF attack
PLUGIN
Wp Logs Book
CVE-2024-4475
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4474 - Wp Logs Book Plugin
The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Logs Book
CVE-2024-4474
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4377 - Dot On Paper Shortcodes Plugin
The DOP Shortcodes WordPress plugin through 1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Dot On Paper Shortcodes
CVE-2024-4377
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-4381 - Commonsbooking Plugin
The CB (legacy) WordPress plugin through 0.9.4.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Commonsbooking
CVE-2024-4381
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5756 - Icegram Express Plugin
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Icegram Express
CVE-2024-5756
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5455 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…
PLUGIN
Plus Addons For Elementor
CVE-2024-5455
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3961 - Convertkit Email Marketing Email Newsletter And Landing Pages Plugin
The ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tag_subscriber function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to subscribe users to tags. Financial damages may occur to site owners if their API quota is exceeded.
PLUGIN
Convertkit Email Marketing Email Newsletter And Landing Pages
CVE-2024-3961
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5503 - Wp Blog Post Layouts Plugin
The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Wp Blog Post Layouts
CVE-2024-5503
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5344 - Plus Addons For Elementor Plugin
The The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘forgoturl’ attribute within the plugin's WP Login & Register widget in all versions up to, and including, 5.5.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Plus Addons For Elementor
CVE-2024-5344
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1639 - License Manager For Woocommerce Plugin
The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the "license" JS variable.
PLUGIN
License Manager For Woocommerce
CVE-2024-1639
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3610 - Wp Child Theme Generator
The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen.
THEME
Wp Child Theme Generator
CVE-2024-3610
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1955 - Hide Dashboard Notifications Plugin
The Hide Dashboard Notifications plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'warning_notices_settings' function in all versions up to, and including, 1.3. This makes it possible for authenticated attackers, with contributor access and above, to modify the plugin's settings.
PLUGIN
Hide Dashboard Notifications
CVE-2024-1955
Risk Score