Threat Entry Updated 2025-05-13

CVE-2023-6064 - Before 2 Plugin

The PayHere Payment Gateway WordPress plugin before 2.2.12 automatically creates publicly-accessible log files containing sensitive information when transactions occur.

PLUGIN Before 2

CVE-2023-6064

HIGH CVSS 7.5 2024-01-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-18

CVE-2023-6485 - Before 2 Plugin

The Html5 Video Player WordPress plugin before 2.5.19 does not sanitise and escape some of its player settings, which combined with missing capability checks around the plugin could allow any authenticated users, such as low as subscribers to perform Stored Cross-Site Scripting attacks against high privilege users like admins

PLUGIN Before 2

CVE-2023-6485

MEDIUM CVSS 5.4 2024-01-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6250 - Before 2 Plugin

The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses the content of password protected posts to unauthenticated users via a meta tag

PLUGIN Before 2

CVE-2023-6250

HIGH CVSS 7.5 2023-12-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2023-5005 - Before 2 Plugin

The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 2

CVE-2023-5005

MEDIUM CVSS 4.8 2023-12-18

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-07

CVE-2023-6289 - Before 2 Plugin

The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens.

PLUGIN Before 2

CVE-2023-6289

MEDIUM CVSS 4.3 2023-12-18

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6035 - Before 2 Plugin

The EazyDocs WordPress plugin before 2.3.4 does not properly sanitize and escape "data" parameter before using it in an SQL statement via an AJAX action, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

PLUGIN Before 2

CVE-2023-6035

HIGH CVSS 8.8 2023-12-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5757 - Before 2 Plugin

The WP Crowdfunding WordPress plugin before 2.1.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 2

CVE-2023-5757

MEDIUM CVSS 4.8 2023-12-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-20

CVE-2023-5952 - Before 2 Plugin

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog

PLUGIN Before 2

CVE-2023-5952

CRITICAL CVSS 9.8 2023-12-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-29

CVE-2023-5953 - Before 2 Plugin

The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server

PLUGIN Before 2

CVE-2023-5953

HIGH CVSS 8.8 2023-12-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-20

CVE-2023-5951 - Before 2 Plugin

The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 2

CVE-2023-5951

MEDIUM CVSS 6.1 2023-12-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5604 - Before 2 Plugin

The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.

PLUGIN Before 2

CVE-2023-5604

CRITICAL CVSS 9.8 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-04

CVE-2023-5958 - Before 2 Plugin

The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.

PLUGIN Before 2

CVE-2023-5958

MEDIUM CVSS 6.1 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-16

CVE-2023-5611 - Before 2 Plugin

The Seraphinite Accelerator WordPress plugin before 2.20.32 does not have authorisation and CSRF checks when resetting and importing its settings, allowing unauthenticated users to reset them

PLUGIN Before 2

CVE-2023-5611

MEDIUM CVSS 5.3 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5559 - Before 2 Plugin

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

PLUGIN Before 2

CVE-2023-5559

CRITICAL CVSS 9.1 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5239 - Before 2 Plugin

The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection.

PLUGIN Before 2

CVE-2023-5239

HIGH CVSS 7.5 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5560 - Before 2 Plugin

The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and escape the X-Forwarded-For header before outputting its content on the page, which allows unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2023-5560

MEDIUM CVSS 6.1 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5325 - Before 2 Plugin

The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does not escape the custom shipping phone field no the checkout form leading to XSS

PLUGIN Before 2

CVE-2023-5325

MEDIUM CVSS 6.1 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5525 - Before 2 Plugin

The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

PLUGIN Before 2

CVE-2023-5525

MEDIUM CVSS 4.3 2023-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5652 - Before 2 Plugin

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections

PLUGIN Before 2

CVE-2023-5652

CRITICAL CVSS 9.8 2023-11-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-5799 - Before 2 Plugin

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them

PLUGIN Before 2

CVE-2023-5799

MEDIUM CVSS 5.4 2023-11-20

Risk Score

Open Full Technical Breakdown