Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-29
CVE-2023-6748 - Custom Field Template Plugin
The Custom Field Template plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the 'cft' shortcode. This makes it possible for authenticated attackers with contributor access and above, to extract sensitive data including arbitrary post metadata.
PLUGIN
Custom Field Template
CVE-2023-6748
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-35720 - Album Gallery Plugin
Missing Authorization vulnerability in A WP Life Album Gallery – WordPress Gallery.This issue affects Album Gallery – WordPress Gallery: from n/a through 1.5.7.
PLUGIN
Album Gallery
CVE-2024-35720
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2024-32818 - Wordpress Meta Data And Taxonomies Filter Plugin
Missing Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF).This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-32818
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-35738 - Kognetiks Chatbot Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kognetiks Kognetiks Chatbot for WordPress allows Stored XSS.This issue affects Kognetiks Chatbot for WordPress: from n/a through 1.9.8.
PLUGIN
Kognetiks Chatbot
CVE-2024-35738
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5654 - Cf7 Google Sheets Connector Plugin
The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES.
PLUGIN
Cf7 Google Sheets Connector
CVE-2024-5654
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4468 - Salon Booking System Plugin
The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.
PLUGIN
Salon Booking System
CVE-2024-4468
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-5091 - Skt Addons For Elementor Plugin
The SKT Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Age Gate and Creative Slider widgets in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Skt Addons For Elementor
CVE-2024-5091
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5638 - Formula Plugin
The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ti_customizer_notify_dismiss_recommended_plugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Formula
CVE-2024-5638
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5613 - Formula Plugin
The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Formula
CVE-2024-5613
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5087 - Minimal Coming Soon Maintenance Mode Plugin
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.
PLUGIN
Minimal Coming Soon Maintenance Mode
CVE-2024-5087
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4661 - Wp Reset Plugin
The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting.
PLUGIN
Wp Reset
CVE-2024-4661
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-3668 - Powerpack Addons For Elementor Plugin
The PowerPack Pro for Elementor plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.10.17. This is due to the plugin not restricting low privileged users from setting a default role for a registration form. This makes it possible for authenticated attackers, with contributor-level access and above, to create a registration form with administrator set as the default role and then register as an administrator.
PLUGIN
Powerpack Addons For Elementor
CVE-2024-3668
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5770 - Wp Force Ssl Plugin
The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_setting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permissions and above, to update the plugin settings.
PLUGIN
Wp Force Ssl
CVE-2024-5770
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5663 - Cards For Beaver Builder Plugin
The Cards for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Cards widget in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cards For Beaver Builder
CVE-2024-5663
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5599 - Fileorganizer Plugin
The FileOrganizer – Manage WordPress and Website Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 via the 'fileorganizer_ajax_handler' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.
PLUGIN
Fileorganizer
CVE-2024-5599
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5542 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Navigation Menu widget of the plugin's Mega Menu extension in all versions up to, and including, 2.0.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-5542
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5382 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ma-template' REST API route in all versions up to, and including, 2.0.6.1. This makes it possible for unauthenticated attackers to create or modify existing Master Addons templates or make settings modifications related to these templates.
PLUGIN
Master Addons
CVE-2024-5382
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5438 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.
PLUGIN
Tutor Lms
CVE-2024-5438
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5637 - Market Exporter Plugin
The Market Exporter plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'remove_files' function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use path traversal to delete arbitrary files on the server.
PLUGIN
Market Exporter
CVE-2024-5637
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5645 - Envo Extra Plugin
The Envo Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_css_id’ parameter within the Button widget in all versions up to, and including, 1.8.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Envo Extra
CVE-2024-5645
Risk Score