Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-07
CVE-2024-1756 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name
PLUGIN
Woocommerce Customers Manager
CVE-2024-1756
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2404 - Better Comments Plugin
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow low privilege users such as Subscribers to perform Stored Cross-Site Scripting attacks.
PLUGIN
Better Comments
CVE-2024-2404
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2402 - Better Comments Plugin
The Better Comments WordPress plugin before 1.5.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Better Comments
CVE-2024-2402
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3261 - Strong Testimonials Plugin
The Strong Testimonials WordPress plugin before 3.1.12 does not validate and escape some of its Testimonial fields before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The attack requires a specific view to be performed
PLUGIN
Strong Testimonials
CVE-2024-3261
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2972 - Before 3 Plugin
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-2972
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2023-7253 - Before 2 Plugin
The Import WP WordPress plugin before 2.13.1 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.
PLUGIN
Before 2
CVE-2023-7253
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-1743 - Woocommerce Customers Manager Plugin
The WooCommerce Customers Manager WordPress plugin before 29.8 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Woocommerce Customers Manager
CVE-2024-1743
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-2477 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of an uploaded image in all versions up to, and including, 7.6.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpdiscuz
CVE-2024-2477
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3491 - Schema & Structured Data for WP & AMP Plugin
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Schema & Structured Data for WP & AMP
CVE-2024-3491
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2024-3732 - Geodirectory Plugin
The GeoDirectory – WordPress Business Directory Plugin, or Classified Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gd_single_tabs' shortcode in all versions up to, and including, 2.3.48 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Geodirectory
CVE-2024-3732
Risk Score
Threat Entry
Updated 2025-10-15
CVE-2024-3665 - Seo Plugin
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's HowTo and FAQ widgets in all versions up to, and including, 1.0.216 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seo
CVE-2024-3665
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0900 - Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! Plugin
The Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! plugin for WordPress is vulnerable to unauthorized post creation due to a missing capability check on the elespare_create_post() function hooked via AJAX in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary posts.
PLUGIN
Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required!
CVE-2024-0900
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3664 - Quick Featured Images Plugin
The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author.
PLUGIN
Quick Featured Images
CVE-2024-3664
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2024-2798 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget containers in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-2798
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2024-3889 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Accordion widget in all versions up to, and including, 1.3.971 due to insufficient input sanitization and output escaping on user supplied attributes like 'accordion_title_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-3889
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2024-2799 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid & Advanced Text widget HTML tags in all versions up to, and including, 1.3.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2024-2799
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-3293 - rtMedia for WordPress, BuddyPress and bbPress Plugin
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to blind SQL Injection via the rtmedia_gallery shortcode in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
rtMedia for WordPress, BuddyPress and bbPress
CVE-2024-3293
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2024-3645 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Counter widget in all versions up to, and including, 5.8.11 due to insufficient input sanitization and output escaping on user supplied attributes such as 'title_html_tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-3645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-32694 - Allows Reflected Xss Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Creative interactive media 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin allows Reflected XSS.This issue affects 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin: from n/a through 3.62.
PLUGIN
Allows Reflected Xss
CVE-2024-32694
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2023-7252 - Before 3 Plugin
The Tickera WordPress plugin before 3.5.2.5 does not prevent users from leaking other users' tickets.
PLUGIN
Before 3
CVE-2023-7252
Risk Score