Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-12-12
CVE-2023-2401 - Before 1 Plugin
The QuBot WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-2401
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2718 - Before 1 Plugin
The Contact Form Email WordPress plugin before 1.3.38 does not escape submitted values before displaying them in the HTML, leading to a Stored XSS vulnerability.
PLUGIN
Before 1
CVE-2023-2718
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-2362 - Before 1 Plugin
The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder WordPress plugin before 2.5.6 do not escape the page parameter before outputting it back in an attribute, leading to…
PLUGIN
Before 1
CVE-2023-2362
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-2503 - Before 1 Plugin
The 10Web Social Post Feed WordPress plugin before 1.2.9 does not sanitise and escape some parameter before outputting it back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-2503
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-2224 - Before 1 Plugin
The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-2224
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-0545 - Before 1 Plugin
The Hostel WordPress plugin before 1.1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-0545
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2296 - Before 1 Plugin
The Loginizer WordPress plugin before 1.7.9 does not escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2023-2296
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-1938 - Before 1 Plugin
The WP Fastest Cache WordPress plugin before 1.1.5 does not have CSRF check in an AJAX action, and does not validate user input before using it in the wp_remote_get() function, leading to a Blind SSRF issue
PLUGIN
Before 1
CVE-2023-1938
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-0443 - Before 1 Plugin
The AnyWhere Elementor WordPress plugin before 1.2.8 discloses a Freemius Secret Key which could be used by an attacker to purchase the pro subscription using test credit card numbers without actually paying the amount. Such key has been revoked.
PLUGIN
Before 1
CVE-2023-0443
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2117 - Before 1 Plugin
The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitize the dir parameter when handling the get_subdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root.
PLUGIN
Before 1
CVE-2023-2117
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2023-1207 - Before 1 Plugin
This HTTP Headers WordPress plugin before 1.18.8 has an import functionality which executes arbitrary SQL on the server, leading to an SQL Injection vulnerability.
PLUGIN
Before 1
CVE-2023-1207
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2023-1915 - Before 1 Plugin
The Thumbnail carousel slider WordPress plugin before 1.1.10 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting vulnerability which could be used against high privilege users such as admin.
PLUGIN
Before 1
CVE-2023-1915
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2023-1890 - Before 1 Plugin
The Tablesome WordPress plugin before 1.0.9 does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site Scripting
PLUGIN
Before 1
CVE-2023-1890
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1614 - Before 1 Plugin
The WP Custom Author URL WordPress plugin before 1.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-1614
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1911 - Before 1 Plugin
The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as subscriber to access draft posts for example
PLUGIN
Before 1
CVE-2023-1911
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1125 - Before 1 Plugin
The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to tickets other than their own.
PLUGIN
Before 1
CVE-2023-1125
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2023-1623 - Before 1 Plugin
The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.
PLUGIN
Before 1
CVE-2023-1623
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-1331 - Before 1 Plugin
The Redirection WordPress plugin before 1.1.5 does not have CSRF checks in the uninstall action, which could allow attackers to make logged in admins delete all the redirections through a CSRF attack.
PLUGIN
Before 1
CVE-2023-1331
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-1427 - Before 1 Plugin
- The Photo Gallery by 10Web WordPress plugin before 1.8.15 did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector.
PLUGIN
Before 1
CVE-2023-1427
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-0363 - Before 1 Plugin
The Scheduled Announcements Widget WordPress plugin before 1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0363
Risk Score