Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-03
CVE-2024-3883 - 3d Flipbook Plugin
The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Bookmark URL field in all versions up to, and including, 1.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
3d Flipbook
CVE-2024-3883
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3280 - Follow Us Badges Plugin
The Follow Us Badges plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsite_follow_us_badges shortcode in all versions up to, and including, 3.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Follow Us Badges
CVE-2024-3280
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-3490 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wprm-recipe-roundup-item shortcode in all versions up to, and including, 9.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Maker
CVE-2024-3490
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3478 - Herd Effects Plugin
The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks
PLUGIN
Herd Effects
CVE-2024-3478
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3481 - Before 1 Plugin
The Counter Box WordPress plugin before 1.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such deleting counters via CSRF attacks
PLUGIN
Before 1
CVE-2024-3481
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3476 - Side Menu Lite Plugin
The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Side Menu Lite
CVE-2024-3476
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-3474 - Wow Skype Buttons Plugin
The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Wow Skype Buttons
CVE-2024-3474
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3475 - Sticky Buttons Plugin
The Sticky Buttons WordPress plugin before 3.2.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Sticky Buttons
CVE-2024-3475
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3472 - Modal Window Plugin
The Modal Window WordPress plugin before 5.3.10 does not have CSRF check in place when bulk deleting modals, which could allow attackers to make a logged in admin delete them via a CSRF attack
PLUGIN
Modal Window
CVE-2024-3472
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3477 - Before 2 Plugin
The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks
PLUGIN
Before 2
CVE-2024-3477
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3471 - Button Generator Plugin
The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack
PLUGIN
Button Generator
CVE-2024-3471
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2405 - Before 6 Plugin
The Float menu WordPress plugin before 6.0.1 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admin delete arbitrary menu via a CSRF attack.
PLUGIN
Before 6
CVE-2024-2405
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-0334 - Jeg Elementor Kit Plugin
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attribute of a link in several Elementor widgets in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jeg Elementor Kit
CVE-2024-0334
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3591 - Geo Controller Plugin
The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Geo Controller
CVE-2024-3591
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2663 - Zd Youtube Flv Player Plugin
The ZD YouTube FLV Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.6 via the $_GET['image'] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Zd Youtube Flv Player
CVE-2024-2663
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4185 - Customer Email Verification For Woocommerce Plugin
The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Email Verification and Authentication Bypass in all versions up to, and including, 2.7.4 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification, and if both the "Login the user automatically after the account is verified" and "Verify account for current users" options are checked, then it potentially makes it possible for attackers to bypass authentication for other users.
PLUGIN
Customer Email Verification For Woocommerce
CVE-2024-4185
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3072 - Acf Front End Editor Plugin
The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data.
PLUGIN
Acf Front End Editor
CVE-2024-3072
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-1895 - Event Monster Plugin
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary…
PLUGIN
Event Monster
CVE-2024-1895
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1371 - Leadconnector Plugin
The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts.
PLUGIN
Leadconnector
CVE-2024-1371
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0216 - Google Doc Embedder Plugin
The Google Doc Embedder plugin for WordPress is vulnerable to Server Side Request Forgery via the 'gview' shortcode in versions up to, and including, 2.6.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Google Doc Embedder
CVE-2024-0216
Risk Score