Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-07
CVE-2024-2786 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 3.10.4 due to insufficient input sanitization and output escaping on the title_tag attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-2786
Risk Score
Threat Entry
Updated 2025-09-29
CVE-2024-2654 - File Manager Plugin
The File Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 7.2.5 via the fm_download_backup function. This makes it possible for authenticated attackers, with administrator access and above, to read the contents of arbitrary zip files on the server, which can contain sensitive information.
PLUGIN
File Manager
CVE-2024-2654
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-2650 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the alignment parameter in the Woo Product Carousel widget in all versions up to, and including, 5.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-2650
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-2623 - Essential Addons For Elementor Plugin
The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the countdown widget's message parameter in all versions up to, and including, 5.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor
CVE-2024-2623
Risk Score
Threat Entry
Updated 2025-10-10
CVE-2024-2536 - Seo Plugin
The Rank Math SEO with AI SEO Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HowTo block attributes in all versions up to, and including, 1.0.214 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seo
CVE-2024-2536
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2513 - Wp Chat App Plugin
The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageAlt' block attribute in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Chat App
CVE-2024-2513
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-2543 - Permalink Manager Lite Plugin
The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of all posts.
PLUGIN
Permalink Manager Lite
CVE-2024-2543
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2501 - Hubbub Lite – Fast, Reliable Social Sharing Buttons Plugin
The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…
PLUGIN
Hubbub Lite – Fast, Reliable Social Sharing Buttons
CVE-2024-2501
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-2507 - Jetwidgets For Elementor Plugin
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget button URL in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetwidgets For Elementor
CVE-2024-2507
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-2504 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attr' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pagelayer
CVE-2024-2504
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-2492 - Powerpack Addons For Elementor Plugin
The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Tweet widget in all versions up to, and including, 2.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpack Addons For Elementor
CVE-2024-2492
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2024-2457 - Modal Window Plugin
The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 5.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Modal Window
CVE-2024-2457
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2456 - Ecwid Ecommerce Shopping Cart Plugin
The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.12.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ecwid Ecommerce Shopping Cart
CVE-2024-2456
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-2344 - Avada Plugin
The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Avada
CVE-2024-2344
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-2436 - Lightweight Accordion Plugin
The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.5.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lightweight Accordion
CVE-2024-2436
Risk Score
Threat Entry
Updated 2025-09-29
CVE-2024-2423 - Userswp Plugin
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Userswp
CVE-2024-2423
Risk Score
Threat Entry
Updated 2025-09-29
CVE-2024-2348 - Gum Elementor Addon Plugin
The Gum Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Meta widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gum Elementor Addon
CVE-2024-2348
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2347 - Astra Plugin
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's display name in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Astra
CVE-2024-2347
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-2343 - Avada Plugin
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.11.6 via the form_to_url_action function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Avada
CVE-2024-2343
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-2342 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the customer_id parameter in all versions up to, and including, 1.6.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Simply Schedule Appointments
CVE-2024-2342
Risk Score