Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-10562	Form Maker by 10Web < 1.15.31 - Admin+ Stored XSS Description: The Form Maker by 10Web WordPress plugin before 1.15.31 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE January 8th, 2025 (3 months ago)
CVE-2024-10102	Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.22 - Contributor+ Stored XSS Description: The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.22 does not sanitise and escape some of its Gallery settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks EPSS Score: 0.04% Source: CVE January 8th, 2025 (3 months ago)
	A Threat Actor Claims to be Selling a WordPress Exploit Tool Description: A Threat Actor Claims to be Selling a WordPress Exploit Tool Source: DarkWebInformer January 7th, 2025 (3 months ago)
	PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts Description: The malware, found on a Russian cybercriminal site, impersonates e-commerce payment-processing services such as Stripe to steal user payment data from legitimate websites. Source: Dark Reading January 7th, 2025 (3 months ago)
CVE-2024-12311	Email Subscribers < 5.7.44 - Admin+ SQL Injection Description: The Email Subscribers by Icegram Express WordPress plugin before 5.7.44 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks EPSS Score: 0.04% Source: CVE January 7th, 2025 (3 months ago)
CVE-2024-12302	Icegram Engage < 3.1.32 - Author+ Stored XSS Description: The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks EPSS Score: 0.04% Source: CVE January 7th, 2025 (3 months ago)
CVE-2024-11849	Pods – Custom Content Types and Fields < 3.2.8.1 - Admin+ Stored XSS Description: The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE January 7th, 2025 (3 months ago)
CVE-2024-11356	Tourmaster < 5.3.4 - Unauthenticated Stored XSS via Room Booking Description: The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks. EPSS Score: 0.04% Source: CVE January 7th, 2025 (3 months ago)
CVE-2024-12595	AHAthat Plugin <= 1.6 - Reflected XSS via REQUEST_URI Description: The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers EPSS Score: 0.04% Source: CVE January 3rd, 2025 (4 months ago)
CVE-2024-11357	Goodlayers Core < 2.0.10 - Contributor+ Stored XSS Description: The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.04% Source: CVE January 3rd, 2025 (4 months ago)