Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-27
CVE-2023-7115 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-7115
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-7198 - Before 1 Plugin
The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.
PLUGIN
Before 1
CVE-2023-7198
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4436 - Before 1 Plugin
The 3DPrint Lite WordPress plugin before 1.9.1.5 does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
PLUGIN
Before 1
CVE-2021-4436
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2023-6279 - Before 1 Plugin
The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name
PLUGIN
Before 1
CVE-2023-6279
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-5943 - Before 1 Plugin
The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2023-5943
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2023-5124 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.
PLUGIN
Before 1
CVE-2023-5124
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6384 - Before 1 Plugin
The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar
PLUGIN
Before 1
CVE-2023-6384
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2024-0239 - Before 1 Plugin
The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.
PLUGIN
Before 1
CVE-2024-0239
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-7154 - Before 1 Plugin
The Hubbub Lite (formerly Grow Social) WordPress plugin before 1.32.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-7154
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-4536 - Before 1 Plugin
The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE
PLUGIN
Before 1
CVE-2023-4536
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-5922 - Before 1 Plugin
The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content
PLUGIN
Before 1
CVE-2023-5922
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-4757 - Before 1 Plugin
The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.
PLUGIN
Before 1
CVE-2023-4757
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-6732 - Before 1 Plugin
The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 1
CVE-2023-6732
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-3372 - Before 1 Plugin
The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-3372
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-0376 - Before 1 Plugin
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0376
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-0389 - Before 1 Plugin
The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-0389
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2021-24566 - Before 1 Plugin
The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode.
PLUGIN
Before 1
CVE-2021-24566
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2021-25117 - Before 1 Plugin
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
PLUGIN
Before 1
CVE-2021-25117
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2021-24151 - Before 1 Plugin
The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.
PLUGIN
Before 1
CVE-2021-24151
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2023-6505 - Before 1 Plugin
The Migrate WordPress Website & Backups WordPress plugin before 1.9.3 does not prevent directory listing in sensitive directories containing export files.
PLUGIN
Before 1
CVE-2023-6505
Risk Score