Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-13
CVE-2026-1900 - Before 0 Plugin
The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
PLUGIN
Before 0
CVE-2026-1900
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-5305 - Before 0 Plugin
The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.
PLUGIN
Before 0
CVE-2025-5305
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-11719 - Before 0 Plugin
The tarteaucitron-wp WordPress plugin before 0.3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Before 0
CVE-2024-11719
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-11718 - Before 0 Plugin
The tarteaucitron-wp WordPress plugin before 0.3.0 allows author level and above users to add HTML into a post/page, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 0
CVE-2024-11718
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-9020 - Before 0 Plugin
The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 0
CVE-2024-9020
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-7315 - Before 0 Plugin
The Migration, Backup, Staging WordPress plugin before 0.9.106 does not use sufficient randomness in the filename that is created when generating a backup, which could be bruteforced by attackers to leak sensitive information about said backups.
PLUGIN
Before 0
CVE-2024-7315
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2024-1286 - Before 0 Plugin
The pmpro-membership-maps WordPress plugin before 0.7 does not prevent users with at least the contributor role from leaking sensitive information about users with a membership on the site.
PLUGIN
Before 0
CVE-2024-1286
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-5475 - Before 0 Plugin
The Responsive video embed WordPress plugin before 0.5.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 0
CVE-2024-5475
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2023-5041 - Before 0 Plugin
The Track The Click WordPress plugin before 0.3.12 does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database.
PLUGIN
Before 0
CVE-2023-5041
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2021-24869 - Before 0 Plugin
The WP Fastest Cache WordPress plugin before 0.9.5 does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber
PLUGIN
Before 0
CVE-2021-24869
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2021-24870 - Before 0 Plugin
The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload
PLUGIN
Before 0
CVE-2021-24870
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2021-24559 - Before 0 Plugin
The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Before 0
CVE-2021-24559
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4209 - Before 0 Plugin
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.
PLUGIN
Before 0
CVE-2023-4209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2795 - Before 0 Plugin
The CodeColorer WordPress plugin before 0.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 0
CVE-2023-2795
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2023-1347 - Before 0 Plugin
The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
PLUGIN
Before 0
CVE-2023-1347
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2023-0372 - Before 0 Plugin
The EmbedStories WordPress plugin before 0.7.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 0
CVE-2023-0372
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2023-0177 - Before 0 Plugin
The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 0
CVE-2023-0177
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0149 - Before 0 Plugin
The WordPrezi WordPress plugin before 0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 0
CVE-2023-0149
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0143 - Before 0 Plugin
The Send PDF for Contact Form 7 WordPress plugin before 0.9.9.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.
PLUGIN
Before 0
CVE-2023-0143
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3380 - Before 0 Plugin
The Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Before 0
CVE-2022-3380
Risk Score