Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-30
CVE-2024-4891 - Essential Blocks Plugin
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 4.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Blocks
CVE-2024-4891
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-4374 - Dethemekit For Elementor
The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Dethemekit For Elementor
CVE-2024-4374
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-3714 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'give_form' shortcode when used with a legacy form in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Givewp
CVE-2024-3714
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-4865 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-4865
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32692 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 6.9.
CORE
WordPress Core
CVE-2024-32692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4789 - Cost Calculator Builder Pro Plugin
Cost Calculator Builder Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.1.72, via the send_demo_webhook() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Cost Calculator Builder Pro
CVE-2024-4789
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-34434 - Wordpress Meta Data And Taxonomies Filter Plugin
Incorrect Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Inclusion, Functionality Misuse.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.2.
PLUGIN
Wordpress Meta Data And Taxonomies Filter
CVE-2024-34434
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-31290 - WordPress Core
Improper Privilege Management vulnerability in CodeRevolution Demo My WordPress allows Privilege Escalation.This issue affects Demo My WordPress: from n/a through 1.0.9.1.
CORE
WordPress Core
CVE-2024-31290
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-22139 - WordPress Core
Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6.
CORE
WordPress Core
CVE-2024-22139
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-47683 - WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) Plugin
Improper Privilege Management vulnerability in miniOrange WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) allows Privilege Escalation.This issue affects WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn): from n/a through 7.6.6.
PLUGIN
WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn)
CVE-2023-47683
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-3580 - Popup4phone Plugin
The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Popup4phone
CVE-2024-3580
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-3231 - Popup4phone Plugin
The Popup4Phone WordPress plugin through 1.3.2 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against admins.
PLUGIN
Popup4phone
CVE-2024-3231
Risk Score
Threat Entry
Updated 2025-06-30
CVE-2024-2697 - Socialdriver Framework Plugin
The socialdriver-framework WordPress plugin before 2024.0.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
PLUGIN
Socialdriver Framework
CVE-2024-2697
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-2744 - Nextgen Gallery Plugin
The NextGEN Gallery WordPress plugin before 3.59.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Nextgen Gallery
CVE-2024-2744
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3551 - Penci Soledad Data Migrator Plugin
The Penci Soledad Data Migrator plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.0 via the 'data' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.
PLUGIN
Penci Soledad Data Migrator
CVE-2024-3551
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-3134 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title_html_tag attribute in all versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-3134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4204 - Bulk Posts Editing For Wordpress Plugin
The Bulk Posts Editing For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to missing or incorrect nonce validation on the plugin's AJAX actions.. This makes it possible for unauthenticated attackers to create and duplicate posts, retrieve post content, and modify post taxonomy among other things via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bulk Posts Editing For Wordpress
CVE-2024-4204
Risk Score
Threat Entry
Updated 2025-06-27
CVE-2024-3609 - Reviewx Plugin
The ReviewX – Multi-criteria Rating & Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the reviewx_remove_guest_image function in all versions up to, and including, 1.6.27. This makes it possible for authenticated attackers, with subscriber access and above, to delete attachments.
PLUGIN
Reviewx
CVE-2024-3609
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2024-2619 - Elementor Header Footer Builder Plugin
The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary HTML in pages that will be shown whenever a user accesses an injected page.
PLUGIN
Elementor Header Footer Builder
CVE-2024-2619
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2024-4580 - Master Addons Plugin
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 2.0.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2024-4580
Risk Score