Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-04
CVE-2024-4419 - Fetch Jft Plugin
The Fetch JFT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fetch Jft
CVE-2024-4419
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-6743 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.89 via the template import functionality. This makes it possible for authenticated attackers, with contributor access and above, to execute code on the server.
PLUGIN
Unlimited Elements For Elementor
CVE-2023-6743
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-4611 - Apppresser Plugin
The AppPresser plugin for WordPress is vulnerable to improper missing encryption exception handling on the 'decrypt_value' and on the 'doCookieAuth' functions in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they previously used the login via the plugin API. This can only be exploited if the 'openssl' php extension is not loaded on the server.
PLUGIN
Apppresser
CVE-2024-4611
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0434 - Tour Booking Manager Plugin
The WordPress Tour & Travel Booking Plugin for WooCommerce – WpTravelly plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ttbm_new_place_save' function in all versions up to, and including, 1.7.1. This makes it possible for unauthenticated attackers to create and publish new place posts. This function is also vulnerable to CSRF.
PLUGIN
Tour Booking Manager
CVE-2024-0434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5150 - Login With Phone Number Plugin
The Login with phone number plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.26. This is due to the 'activation_code' default value is empty, and the not empty check is missing in the 'lwp_ajax_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user email. The vulnerability is patched in version 1.7.26, but there is an issue in the patch that causes the entire function…
PLUGIN
Login With Phone Number
CVE-2024-5150
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5204 - Swiss Toolkit For Wp Plugin
The Swiss Toolkit For WP plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.7. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for authenticated attackers with contributor-level and above permissions to log in as any existing user on the site, such as an administrator.
PLUGIN
Swiss Toolkit For Wp
CVE-2024-5204
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4535 - Kkprogressbar2 Plugin
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
PLUGIN
Kkprogressbar2
CVE-2024-4535
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4531 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing cards via CSRF attacks
PLUGIN
Business Card
CVE-2024-4531
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4533 - Kkprogressbar2 Plugin
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks
PLUGIN
Kkprogressbar2
CVE-2024-4533
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4532 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting cards via CSRF attacks
PLUGIN
Business Card
CVE-2024-4532
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-4534 - Kkprogressbar2 Plugin
The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Kkprogressbar2
CVE-2024-4534
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4530 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as editing card categories via CSRF attacks
PLUGIN
Business Card
CVE-2024-4530
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-3939 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-3939
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-4529 - Business Card Plugin
The Business Card WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions such as deleting card categories via CSRF attacks
PLUGIN
Business Card
CVE-2024-4529
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2024-4045 - Optinmonster Plugin
The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ parameter in versions up to, and including, 2.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Optinmonster
CVE-2024-4045
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5218 - G Business Reviews Rating Plugin
The Reviews and Rating – Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file upload feature in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
G Business Reviews Rating
CVE-2024-5218
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-5229 - Primary Addon For Elementor Plugin
The Primary Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Primary Addon For Elementor
CVE-2024-5229
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-4858 - Testimonial Carousel For Elementor Plugin
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature.
PLUGIN
Testimonial Carousel For Elementor
CVE-2024-4858
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-5220 - Nd Shortcodes Plugin
The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nd Shortcodes
CVE-2024-5220
Risk Score
Threat Entry
Updated 2025-04-04
CVE-2024-4455 - Yith Woocommerce Ajax Search Plugin
The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘item’ parameter in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yith Woocommerce Ajax Search
CVE-2024-4455
Risk Score