Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-2122 - Foogallery Plugin
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foogallery
CVE-2024-2122
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-3754 - Alemha Watermark Plugin
The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Alemha Watermark
CVE-2024-3754
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-2218 - Luckywp Table Of Contents Plugin
The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Luckywp Table Of Contents
CVE-2024-2218
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1295 - Events Calendar Plugin
The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)
PLUGIN
Events Calendar
CVE-2024-1295
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4936 - Canto Plugin
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit.
PLUGIN
Canto
CVE-2024-4936
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1094 - Owered Appointment Booking With Visual Seat Plan And Ultimate Calendar Scheduling Plugin
The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff() function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions.
PLUGIN
Owered Appointment Booking With Visual Seat Plan And Ultimate Calendar Scheduling
CVE-2024-1094
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0892 - Schema App Structured Data For Schemaorg Plugin
The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Schema App Structured Data For Schemaorg
CVE-2024-0892
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6492 - Create A Responsive Html Sitemap Plugin
The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible for unauthenticated attackers to reset the plugin options to a default state via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Create A Responsive Html Sitemap
CVE-2023-6492
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2024-37308 - Cooked Plugin
The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.
PLUGIN
Cooked
CVE-2024-37308
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4371 - Codesigner Plugin
The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive…
PLUGIN
Codesigner
CVE-2024-4371
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3073 - Easy Wp Smtp Plugin
The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information…
PLUGIN
Easy Wp Smtp
CVE-2024-3073
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1565 - Embedpress Plugin
The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the PDF Widget URL in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedpress
CVE-2024-1565
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0979 - Dashboard Widgets Suite Plugin
The Dashboard Widgets Suite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Dashboard Widgets Suite
CVE-2024-0979
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4615 - Elespare Plugin
The Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Horizontal Nav Menu' widget in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elespare
CVE-2024-4615
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5265 - Wpbakery Page Builder Clipboard Plugin
The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link attribute within the vc_single_image shortcode in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbakery Page Builder Clipboard
CVE-2024-5265
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5787 - Powerpack Addons For Elementor Plugin
The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Link Effects widget in all versions up to, and including, 2.7.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpack Addons For Elementor
CVE-2024-5787
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5757 - Elementor Header Footer Blocks Template Plugin
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Header Footer Blocks Template
CVE-2024-5757
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-4149 - Before 3 Plugin
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2024-4149
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-3552 - Web Directory Free Plugin
The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.
PLUGIN
Web Directory Free
CVE-2024-3552
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4145 - Before 3 Plugin
The Search & Replace WordPress plugin before 3.2.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks (such as within a multi-site network).
PLUGIN
Before 3
CVE-2024-4145
Risk Score