Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-11184	WP Enabled SVG <= 0.7 - Author+ Stored XSS via SVG Description: The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts EPSS Score: 0.04% Source: CVE January 3rd, 2025 (4 months ago)
CVE-2024-11972	Hunk Companion < 1.9.0 - Unauthenticated Plugin Installation Description: The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. EPSS Score: 0.04% Source: CVE January 1st, 2025 (4 months ago)
CVE-2024-11921	Give < 3.19.0 - Reflected XSS Description: The GiveWP WordPress plugin before 3.19.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.05% Source: CVE December 28th, 2024 (4 months ago)
CVE-2024-11842	DN Shipping by Weight for WooCommerce < 1.2 - Settings Update via CSRF Description: The DN Shipping by Weight for WooCommerce WordPress plugin before 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack EPSS Score: 0.04% Source: CVE December 28th, 2024 (4 months ago)
CVE-2024-11645	Float Block <= 1.7 - Admin+ Stored XSS via Widget Description: The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE December 28th, 2024 (4 months ago)
CVE-2024-11644	WP-SVG <= 0.9 - Contributor+ Stored XSS via Shortcode Description: The WP-SVG WordPress plugin through 0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.04% Source: CVE December 28th, 2024 (4 months ago)
CVE-2024-11605	WP Publications <= 1.2 - Admin+ Stored XSS Description: The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE December 28th, 2024 (4 months ago)
CVE-2024-11223	WPForms < 1.9.2.3 - Admin+ Stored XSS Description: The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.04% Source: CVE December 27th, 2024 (4 months ago)
CVE-2024-10903	Broken Link Checker < 2.4.2 - Admin+ SSRF Description: The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation. EPSS Score: 0.04% Source: CVE December 27th, 2024 (4 months ago)
CVE-2024-10858	Jetpack 13.0-14.0 - Unauthenticated DOM-XSS Description: The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com. EPSS Score: 0.04% Source: CVE December 27th, 2024 (4 months ago)