Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-3356 - Before 1 Plugin
The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping
PLUGIN
Before 1
CVE-2023-3356
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3954 - Before 1 Plugin
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-3954
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2023-3604 - Before 1 Plugin
The Change WP Admin Login WordPress plugin before 1.1.4 discloses the URL of the hidden login page when accessing a crafted URL, bypassing the protection offered.
PLUGIN
Before 1
CVE-2023-3604
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3667 - Before 1 Plugin
The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-3667
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3366 - Before 1 Plugin
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.2 does not have CRSF check when deleting a shipment, allowing attackers to make any logged in user, delete arbitrary shipment via a CSRF attack
PLUGIN
Before 1
CVE-2023-3366
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2122 - Before 1 Plugin
The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link.
PLUGIN
Before 1
CVE-2023-2122
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2254 - Before 1 Plugin
The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk.
PLUGIN
Before 1
CVE-2023-2254
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3435 - Before 1 Plugin
The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.
PLUGIN
Before 1
CVE-2023-3435
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3328 - Before 1 Plugin
The Custom Field For WP Job Manager WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-3328
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3365 - Before 1 Plugin
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.14 does not have authorisation when deleting shipment, allowing any authenticated users, such as subscriber to delete arbitrary shipment
PLUGIN
Before 1
CVE-2023-3365
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3671 - Before 1 Plugin
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-3671
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2843 - Before 1 Plugin
The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.15 does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.
PLUGIN
Before 1
CVE-2023-2843
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24916 - Before 1 Plugin
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
PLUGIN
Before 1
CVE-2021-24916
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0604 - Before 1 Plugin
The WP Food Manager WordPress plugin before 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-0604
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2023-3345 - Before 1 Plugin
The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students
PLUGIN
Before 1
CVE-2023-3345
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3134 - Before 1 Plugin
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
PLUGIN
Before 1
CVE-2023-3134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3130 - Before 1 Plugin
The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-3130
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2761 - Before 1 Plugin
The User Activity Log WordPress plugin before 1.6.3 does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 1
CVE-2023-2761
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3344 - Before 1 Plugin
The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-3344
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3186 - Before 1 Plugin
The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.
PLUGIN
Before 1
CVE-2023-3186
Risk Score