Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-4413 - Motopress Hotel Booking Lite Plugin
The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
Motopress Hotel Booking Lite
CVE-2024-4413
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4411 - Yandex Turbo Feed Plugin
The Mihdan: Yandex Turbo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.6.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yandex Turbo Feed
CVE-2024-4411
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4398 - Html5 Audio Player Plugin
The HTML5 Audio Player- Best WordPress Audio Player Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Html5 Audio Player
CVE-2024-4398
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-4397 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Learnpress
CVE-2024-4397
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4386 - Meow Gallery Plugin
The Gallery Block (Meow Gallery) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data_atts’ parameter in versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Meow Gallery
CVE-2024-4386
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-4383 - Simple Membership Plugin
The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Membership
CVE-2024-4383
Risk Score
Threat Entry
Updated 2025-02-03
CVE-2024-4339 - Prime Slider Plugin
The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the General widget in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Prime Slider
CVE-2024-4339
Risk Score
Threat Entry
Updated 2025-10-15
CVE-2024-4335 - Seo Plugin
The Rank Math SEO with AI Best SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘textAlign’ parameter in versions up to, and including, 1.0.217 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seo
CVE-2024-4335
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4329 - Thim Elementor Kit Plugin
The Thim Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Thim Elementor Kit
CVE-2024-4329
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-4316 - Embedpress Plugin
The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embedpress
CVE-2024-4316
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4314 - Hostel Plugin
The Hostel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5.3. This is due to missing or incorrect nonce validation when managing rooms. This makes it possible for unauthenticated attackers to create and delete rooms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Hostel
CVE-2024-4314
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4312 - For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To Plugin
The Soccer Engine – Soccer Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation when saving match and team settings. This makes it possible for unauthenticated attackers to change plugin settings as well as teams, players, etc. via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To
CVE-2024-4312
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-4277 - Learnpress Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘layout_html’ parameter in all versions up to, and including, 4.2.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Learnpress
CVE-2024-4277
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-4275 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Interactive Circle widget in all versions up to, and including, 5.9.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-4275
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4280 - White Label Cms Plugin
The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings.
PLUGIN
White Label Cms
CVE-2024-4280
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-4209 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown timer in all versions up to, and including, 3.2.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-4209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4213 - Ecommerce Store Plugin
The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.4 via the order report functionality. This makes it possible for unauthenticated attackers to extract sensitive data including order details such as payment details, addresses and other PII.
PLUGIN
Ecommerce Store
CVE-2024-4213
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4193 - Testimonial Slider Plugin
The Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'testimonialcategory' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Testimonial Slider
CVE-2024-4193
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-4158 - Blocksy Plugin
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tagName’ parameter in versions up to, and including, 2.0.42 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blocksy
CVE-2024-4158
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4150 - Simple Basic Contact Form Plugin
The Simple Basic Contact Form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘scf_email’ parameter in versions up to, and including, 20221201 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Basic Contact Form
CVE-2024-4150
Risk Score