Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-30
CVE-2024-4750 - Buddyboss Platform Plugin
The buddyboss-platform WordPress plugin before 2.6.0 contains an IDOR vulnerability that allows a user to like a private post by manipulating the ID included in the request
PLUGIN
Buddyboss Platform
CVE-2024-4750
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4462 - Nafeza Prayer Time Plugin
The Nafeza Prayer Time plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Nafeza Prayer Time
CVE-2024-4462
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-4274 - Essential Real Estate Plugin
The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments.
PLUGIN
Essential Real Estate
CVE-2024-4274
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-4180 - Events Calendar Plugin
The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.
PLUGIN
Events Calendar
CVE-2024-4180
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3555 - Social Link Pages Plugin
The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_link_pages() function in all versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to inject arbitrary pages and malicious web scripts.
PLUGIN
Social Link Pages
CVE-2024-3555
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-4273 - Essential Real Estate Plugin
The Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Real Estate
CVE-2024-4273
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3230 - Download Attachments Plugin
The Download Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'download-attachments' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Download Attachments
CVE-2024-3230
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-4057 - Gutenberg Blocks With Ai By Kadence Wp Plugin
The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.37 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Gutenberg Blocks With Ai By Kadence Wp
CVE-2024-4057
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3031 - Fluid Notification Bar Plugin
The Fluid Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fluid Notification Bar
CVE-2024-3031
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2019 - Wp Db Table Editor Plugin
The WP-DB-Table-Editor plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to lack of a default capability requirement on the 'dbte_render' function in all versions up to, and including, 1.8.4. This makes it possible for authenticated attackers, with contributor access and above, to modify database tables that the theme has been configured to use the plugin to edit.
PLUGIN
Wp Db Table Editor
CVE-2024-2019
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2024-2470 - Before 20240412 Does Not Sanitise And Escape Some Of Its Settings Plugin
The Simple Ajax Chat WordPress plugin before 20240412 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 20240412 Does Not Sanitise And Escape Some Of Its Settings
CVE-2024-2470
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2382 - Authorizenet Payment Gateway For Woocommerce Plugin
The Authorize.net Payment Gateway For WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 8.0. This is due to the plugin not properly verifying the authenticity of the request that updates a orders payment status. This makes it possible for unauthenticated attackers to update order payment statuses to paid bypassing any payment.
PLUGIN
Authorizenet Payment Gateway For Woocommerce
CVE-2024-2382
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1718 - Woocommerce Checkout Cielo Plugin
The Claudio Sanches – Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the update_order_status() function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to update the status of orders to paid bypassing payment.
PLUGIN
Woocommerce Checkout Cielo
CVE-2024-1718
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-0757 - Insert Or Embed Articulate Content Plugin
The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
PLUGIN
Insert Or Embed Articulate Content
CVE-2024-0757
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1717 - Admin Notices Manager Plugin
The Admin Notices Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_ajax_call() function in all versions up to, and including, 1.4.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve a list of registered user emails.
PLUGIN
Admin Notices Manager
CVE-2024-1717
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3888 - Tagdiv Composer Plugin
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's button shortcode in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: The vulnerable code in this plugin is specifically tied to the tagDiv Newspaper theme. If another theme is installed (e.g., NewsMag), this code…
PLUGIN
Tagdiv Composer
CVE-2024-3888
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4552 - Social Login Lite For Woocommerce Plugin
The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Social Login Lite For Woocommerce
CVE-2024-4552
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4870 - Frontend Registration Contact Form 7 Plugin
The Frontend Registration – Contact Form 7 plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1 due to insufficient restriction on the '_cf7frr_' post meta. This makes it possible for authenticated attackers, with editor-level access and above, to modify the default user role in the registration form settings.
PLUGIN
Frontend Registration Contact Form 7
CVE-2024-4870
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-34801 - WordPress Core
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mervin Praison Praison SEO WordPress allows Stored XSS.This issue affects Praison SEO WordPress: from n/a through 4.0.15.
CORE
WordPress Core
CVE-2024-34801
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4344 - Wp Simple Firewall Plugin
The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.1.13. This is due to missing or incorrect nonce validation on the exec function. This makes it possible for unauthenticated attackers to disable pin protection for the admin interface of the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Simple Firewall
CVE-2024-4344
Risk Score