Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-14
CVE-2023-0034 - Before 1 Plugin
The JetWidgets For Elementor WordPress plugin before 1.0.14 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2023-0034
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0234 - Before 1 Plugin
The SiteGround Security WordPress plugin before 1.3.1 does not properly sanitize user input before using it in an SQL query, leading to an authenticated SQL injection issue.
PLUGIN
Before 1
CVE-2023-0234
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2023-0282 - Before 1 Plugin
The YourChannel WordPress plugin before 1.2.2 does not sanitize and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0282
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2023-0178 - Before 1 Plugin
The Annual Archive WordPress plugin before 1.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0178
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0176 - Before 1 Plugin
The Giveaways and Contests by RafflePress WordPress plugin before 1.11.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0176
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0154 - Before 1 Plugin
The GamiPress WordPress plugin before 1.0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0154
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0150 - Before 1 Plugin
The Cloak Front End Email WordPress plugin before 1.9.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 1
CVE-2023-0150
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0096 - Before 1 Plugin
The Happyforms WordPress plugin before 1.22.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0096
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0070 - Before 1 Plugin
The ResponsiveVoice Text To Speech WordPress plugin before 1.7.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0070
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2023-0033 - Before 1 Plugin
The PDF Viewer WordPress plugin before 1.0.0 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
PLUGIN
Before 1
CVE-2023-0033
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3334 - Before 1 Plugin
The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the content of an imported file, which could lead to PHP object injection issue when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Before 1
CVE-2022-3334
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3419 - Before 1 Plugin
The Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator
PLUGIN
Before 1
CVE-2022-3419
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-2190 - Before 1 Plugin
The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 1
CVE-2022-2190
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3395 - Before 1 Plugin
The WP All Export Pro WordPress plugin before 1.7.9 uses the contents of the cc_sql POST parameter directly as a database query, allowing users which has been given permission to run exports to execute arbitrary SQL statements, leading to a SQL Injection vulnerability. By default only users with the Administrator role can perform exports, but this can be delegated to lower privileged users as well.
PLUGIN
Before 1
CVE-2022-3395
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3394 - Before 1 Plugin
The WP All Export Pro WordPress plugin before 1.7.9 does not limit some functionality during exports only to users with the Administrator role, allowing any logged in user which has been given privileges to perform exports to execute arbitrary code on the site. By default only administrators can run exports, but the privilege can be delegated to lower privileged users.
PLUGIN
Before 1
CVE-2022-3394
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2022-3335 - Before 1 Plugin
The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Before 1
CVE-2022-3335
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2022-3300 - Before 1 Plugin
The Form Maker by 10Web WordPress plugin before 1.15.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
PLUGIN
Before 1
CVE-2022-3300
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3097 - Before 1 Plugin
The Plugin LBstopattack WordPress plugin before 1.1.3 does not use nonces when saving its settings, making it possible for attackers to conduct CSRF attacks. This could allow attackers to disable the plugin's protections.
PLUGIN
Before 1
CVE-2022-3097
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3139 - Before 1 Plugin
The We’re Open! WordPress plugin before 1.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2022-3139
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2022-3282 - Before 1 Plugin
The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 does not properly check for the upload size limit set in forms, taking the value from user input sent when submitting the form. As a result, attackers could control the file length limit and bypass the limit set by admins in the contact form.
PLUGIN
Before 1
CVE-2022-3282
Risk Score