Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-13101	WP MediaTagger <= 4.1.1 - Contributor+ Stored XSS Description: The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.04% Source: CVE February 1st, 2025 (3 months ago)
CVE-2024-13100	Woo UPS Pickup <= 2.6.3 - Reflected XSS Description: The OPSI Israel Domestic Shipments WordPress plugin through 2.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE February 1st, 2025 (3 months ago)
CVE-2024-12872	Zalomení <= 1.5 - Admin+ Stored XSS Description: The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE February 1st, 2025 (3 months ago)
CVE-2024-12772	Ninja Tables < 5.0.17 - Admin+ Stored XSS Description: The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability. EPSS Score: 0.04% Source: CVE February 1st, 2025 (3 months ago)
CVE-2024-12275	CanvasFlow <= 1.5.5 - Reflected XSS Description: The Canvasflow for WordPress plugin through 1.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE February 1st, 2025 (3 months ago)
CVE-2024-12709	Bulk Me Now <= 2.0 - Message Deletion via CSRF Description: The Bulk Me Now! WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. EPSS Score: 0.04% Source: CVE January 31st, 2025 (3 months ago)
CVE-2024-12708	Bulk Me Now <= 2.0 - Stored XSS via Shortcode Description: The Bulk Me Now! WordPress plugin through 2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.04% Source: CVE January 31st, 2025 (3 months ago)
CVE-2024-12638	Bulk Me Now <= 2.0 - Reflected XSS Description: The Bulk Me Now! WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE January 31st, 2025 (3 months ago)
CVE-2024-12400	Tourmaster < 5.3.5 - Reflected XSS Description: The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. EPSS Score: 0.04% Source: CVE January 31st, 2025 (3 months ago)
CVE-2024-12163	GoodLayers Core < 2.1.3 - Subscriber+ Stored XSS via SVG Upload Description: The goodlayers-core WordPress plugin before 2.1.3 allows users with a subscriber role and above to upload SVGs containing malicious payloads. EPSS Score: 0.04% Source: CVE January 31st, 2025 (3 months ago)