Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-04
CVE-2024-1948 - Getwid Plugin
The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block content in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Getwid
CVE-2024-1948
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1984 - Graphene Plugin
The Graphene theme for WordPress is vulnerable to unauthorized access of data via meta tag in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated individuals to obtain post contents of password protected posts via the generated source.
PLUGIN
Graphene
CVE-2024-1984
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1893 - Easy Property Listings Plugin
The Easy Property Listings plugin for WordPress is vulnerable to time-based SQL Injection via the ‘property_status’ shortcode attribute in all versions up to, and including, 3.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Easy Property Listings
CVE-2024-1893
Risk Score
Threat Entry
Updated 2025-08-09
CVE-2024-1934 - Wp Compress Plugin
The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all versions up to, and including, 6.11.10. This makes it possible for unauthenticated attackers to reset the CDN region and set a malicious URL to deliver images.
PLUGIN
Wp Compress
CVE-2024-1934
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-1852 - Wp Members Plugin
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page. This vulnerability was partially patched in version 3.4.9.2, and was fully patched in 3.4.9.3.
PLUGIN
Wp Members
CVE-2024-1852
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1850 - AI Post Generator | AutoWriter Plugin
The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized access, modification or deletion of posts due to a missing capability check on functions hooked by AJAX actions in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with subscriber access or higher, to view all posts generated with this plugin (even in non-published status), create new posts (and publish them), publish unpublished post or perform post deletions.
PLUGIN
AI Post Generator | AutoWriter
CVE-2024-1850
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1904 - Masterstudy Lms Plugin
The MasterStudy LMS plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the search_posts function in all versions up to, and including, 3.2.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose draft post titles and excerpts.
PLUGIN
Masterstudy Lms
CVE-2024-1904
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-1813 - Simple Job Board Plugin
The Simple Job Board plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.11.0 via deserialization of untrusted input in the job_board_applicant_list_columns_value function. This makes it possible for unauthenticated attackers to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code when a submitted job application is viewed.
PLUGIN
Simple Job Board
CVE-2024-1813
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1792 - Cmb2 Plugin
The CMB2 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.10.1 via deserialization of untrusted input from the text_datetime_timestamp_timezone field. This makes it possible for authenticated attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Please note that the…
PLUGIN
Cmb2
CVE-2024-1792
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-1812 - Everest Forms Plugin
The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Everest Forms
CVE-2024-1812
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-1794 - Forminator Plugin
The Forminator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. 3gpp file) in all versions up to, and including, 1.29.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forminator
CVE-2024-1794
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1774 - Customily Product Personalizer Plugin
The Customily Product Personalizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via user cookies in all versions up to, and including, 1.23.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. We unfortunately could not get in touch with the vendor through various means to disclose this issue.
PLUGIN
Customily Product Personalizer
CVE-2024-1774
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1790 - WordPress Infinite Scroll – Ajax Load More Plugin
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 7.0.1 via the 'type' parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. This is limited to Windows instances.
PLUGIN
WordPress Infinite Scroll – Ajax Load More
CVE-2024-1790
Risk Score
Threat Entry
Updated 2025-01-07
CVE-2024-1498 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Photo Stack Widget in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2024-1498
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1466 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_style’ attribute of the Posts Multislider widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-27986 may be a duplicate of this issue.
PLUGIN
Addons For Elementor
CVE-2024-1466
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1641 - Accordion Plugin
The Accordion plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'accordions_duplicate_post_as_draft' function in all versions up to, and including, 2.2.96. This makes it possible for authenticated attackers, with contributor access and above, to duplicate arbitrary posts, allowing access to the contents of password-protected posts.
PLUGIN
Accordion
CVE-2024-1641
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2024-1587 - Newsmatic Plugin
The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content.
PLUGIN
Newsmatic
CVE-2024-1587
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1571 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video Embed parameter in all versions up to, and including, 9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the recipe dashboard (which is administrator-only by default but can be assigned to arbitrary capabilities), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Maker
CVE-2024-1571
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1637 - 360 Javascript Viewer Plugin
The 360 Javascript Viewer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and nonce exposure on several AJAX actions in all versions up to, and including, 1.7.12. This makes it possible for authenticated attackers, with subscriber access or higher, to update plugin settings.
PLUGIN
360 Javascript Viewer
CVE-2024-1637
Risk Score
Threat Entry
Updated 2025-01-17
CVE-2024-1465 - Addons For Elementor Plugin
The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘carousel_skin’ attribute of the Posts Carousel widget in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Elementor
CVE-2024-1465
Risk Score