Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-29
CVE-2024-2200 - Contact Form Plugin
The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_subject’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form
CVE-2024-2200
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2198 - Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress Plugin
The Contact Form by BestWebSoft plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cntctfrm_contact_address’ parameter in all versions up to, and including, 4.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Contact Form by BestWebSoft – Advanced Contact Us Form Builder for WordPress
CVE-2024-2198
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2024-2125 - Envialosimple Plugin
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Envialosimple
CVE-2024-2125
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2024-2181 - Beaver Builder Addons Plugin
The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beaver Builder Addons
CVE-2024-2181
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2024-2165 - Seopress Plugin
The SEOPress – On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt parameter in all versions up to, and including, 7.5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Seopress
CVE-2024-2165
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-2138 - Jetwidgets For Elementor Plugin
The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animated Box widget in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jetwidgets For Elementor
CVE-2024-2138
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-2117 - Website Builder Plugin
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Path Widget in all versions up to, and including, 3.20.2 due to insufficient output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Website Builder
CVE-2024-2117
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2024-2112 - Form Maker Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures.
PLUGIN
Form Maker
CVE-2024-2112
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2024-2093 - Vk All In One Expansion Unit Plugin
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 9.95.0.1 via social meta tags. This makes it possible for unauthenticated attackers to view limited password protected content.
PLUGIN
Vk All In One Expansion Unit
CVE-2024-2093
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-2081 - Foogallery Plugin
The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the foogallery_attachment_modal_save action in all versions up to, and including, 2.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foogallery
CVE-2024-2081
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2039 - Stackable – Page Builder Gutenberg Blocks Plugin
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post(v2) block title tag in all versions up to, and including, 3.12.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stackable – Page Builder Gutenberg Blocks
CVE-2024-2039
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2033 - Video Conferencing With Zoom Plugin
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the get_assign_host_id AJAX action. This makes it possible for authenticated attackers, with subscriber access or higher, to enumerate usernames, emails and IDs of all users on a site.
PLUGIN
Video Conferencing With Zoom
CVE-2024-2033
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-2027 - Real Media Library Plugin
The Real Media Library: Media Library Folder & File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its style attributes in all versions up to, and including, 4.22.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Real Media Library
CVE-2024-2027
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-2018 - Wp Activity Log Plugin
The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. One demonstrated attack included the injection of a PHP Object.
PLUGIN
Wp Activity Log
CVE-2024-2018
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-2026 - Passster Plugin
The Passster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content_protector shortcode in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Passster
CVE-2024-2026
Risk Score
Threat Entry
Updated 2025-02-07
CVE-2024-1999 - Gutenberg Blocks With Ai Plugin
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Widget's anchor style parameter in all versions up to, and including, 3.2.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenberg Blocks With Ai
CVE-2024-1999
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-1991 - Registrationmagic Plugin
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator
PLUGIN
Registrationmagic
CVE-2024-1991
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1990 - Registrationmagic Plugin
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RM_Form shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Registrationmagic
CVE-2024-1990
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-1974 - Ht Mega Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Ht Mega
CVE-2024-1974
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-1960 - Shoplentor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Special Offer Day Widget Banner Link in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shoplentor
CVE-2024-1960
Risk Score