Search Results

CVE-2024-3228 5.3 MEDIUM EPSS 0.01

The Social Sharing Plugin – Kiwi plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.7 via the 'kiwi-nw-pinterest' class. This makes it possible for unauthenticated attackers to view limited content from password protected posts.

Jul 09, 2024

EIP-2026-114243 1 PoC Analysis PRE-CVE

EIP-2026-113834 1 PoC Analysis PRE-CVE

CVE-2024-11336 6.1 MEDIUM EPSS 0.00

The Clickbank WordPress Plugin (Storefront) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing or incorrect nonce validation via the cs_menu page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-352 Dec 06, 2024

CVE-2024-12506 6.4 MEDIUM EPSS 0.00

The NACC WordPress Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nacc' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE-79 Dec 20, 2024

CVE-2024-6497 8.8 HIGH EPSS 0.28

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE-79 Jul 20, 2024

CVE-2025-13958 5.9 MEDIUM EPSS 0.00

The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Dec 29, 2025

CVE-2024-7862 6.5 MEDIUM EPSS 0.00

The blogintroduction-wordpress-plugin WordPress plugin through 0.3.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CWE-352 Sep 12, 2024

CVE-2022-4946 5.4 MEDIUM EPSS 0.00

The Frontend Post WordPress Plugin WordPress plugin through 2.8.4 does not validate an attribute of one of its shortcode, which could allow users with a role as low as contributor to add a malicious shortcode to a page/post, which will redirect users to an arbitrary domain.

CWE-601 Jun 05, 2023

CVE-2023-0270 5.4 MEDIUM EPSS 0.00

The YaMaps for WordPress Plugin WordPress plugin before 0.6.26 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Feb 13, 2023

EIP-2026-113558 1 PoC Analysis PRE-CVE

CVE-2024-14015 7.1 HIGH NUCLEI EPSS 0.01

The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Nov 24, 2025

CVE-2024-8714 6.1 MEDIUM EPSS 0.01

The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CWE-79 Sep 13, 2024

CVE-2025-6247 4.7 MEDIUM EPSS 0.00

The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE-80 Aug 26, 2025

CVE-2024-4849 6.4 MEDIUM EPSS 0.00

The WordPress Automatic Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 3.94.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

May 18, 2024

CVE-2023-6005 4.8 MEDIUM EPSS 0.00

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CWE-79 Jan 16, 2024

CVE-2025-12577 4.3 MEDIUM EPSS 0.00

The Listar – Directory Listing & Classifieds WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/listar/v1/place/save' REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update listing details.

CWE-862 Dec 06, 2025

CVE-2024-12616 4.3 MEDIUM EPSS 0.00

The Bitly's WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions in all versions up to, and including, 2.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and retrieve plugin settings.

CWE-862 Jan 09, 2025

CVE-2024-8323 6.4 MEDIUM EPSS 0.00

The Pricing Tables WordPress Plugin – Easy Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fontFamily’ attribute in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CWE-79 Nov 06, 2024

CVE-2026-0974 8.8 HIGH EPSS 0.00

The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.

CWE-862 Feb 19, 2026