Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-18
CVE-2023-6555 - Before 1 Plugin
The Email Subscription Popup WordPress plugin before 1.2.20 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-6555
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-5235 - Before 1 Plugin
The Ovic Responsive WPBakery WordPress plugin before 1.2.9 does not limit which options can be updated via some of its AJAX actions, which may allow attackers with a subscriber+ account to update blog options, such as 'users_can_register' and 'default_role'. It also unserializes user input in the process, which may lead to Object Injection attacks.
PLUGIN
Before 1
CVE-2023-5235
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6271 - Before 1 Plugin
The Backup Migration WordPress plugin before 1.3.6 stores in-progress backups information in easy to find, publicly-accessible files, which may allow attackers monitoring those to leak sensitive information from the site's backups.
PLUGIN
Before 1
CVE-2023-6271
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5674 - Before 1 Plugin
The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.
PLUGIN
Before 1
CVE-2023-5674
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6114 - Before 1 Plugin
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.
PLUGIN
Before 1
CVE-2023-6114
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6268 - Before 1 Plugin
The JSON Content Importer WordPress plugin before 1.5.4 does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-6268
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5673 - Before 1 Plugin
The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.
PLUGIN
Before 1
CVE-2023-5673
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5645 - Before 1 Plugin
The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.
PLUGIN
Before 1
CVE-2023-5645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5644 - Before 1 Plugin
The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.
PLUGIN
Before 1
CVE-2023-5644
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5203 - Before 1 Plugin
The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique.
PLUGIN
Before 1
CVE-2023-5203
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5672 - Before 1 Plugin
The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.
PLUGIN
Before 1
CVE-2023-5672
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6295 - Before 1 Plugin
The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.
PLUGIN
Before 1
CVE-2023-6295
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6272 - Before 1 Plugin
The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.
PLUGIN
Before 1
CVE-2023-6272
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5886 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
PLUGIN
Before 1
CVE-2023-5886
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5882 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.
PLUGIN
Before 1
CVE-2023-5882
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2023-4724 - Before 1 Plugin
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server
PLUGIN
Before 1
CVE-2023-4724
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5955 - Before 1 Plugin
The Contact Form Email WordPress plugin before 1.3.44 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-5955
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6063 - Before 1 Plugin
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
PLUGIN
Before 1
CVE-2023-6063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5762 - Before 1 Plugin
The Filr WordPress plugin before 1.2.3.6 is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges.
PLUGIN
Before 1
CVE-2023-5762
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5906 - Before 1 Plugin
The Job Manager & Career WordPress plugin before 1.4.4 contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.
PLUGIN
Before 1
CVE-2023-5906
Risk Score