Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-5340 - Before 2 Plugin
The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Before 2
CVE-2023-5340
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5609 - Before 2 Plugin
The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-5609
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5651 - Before 2 Plugin
The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts
PLUGIN
Before 2
CVE-2023-5651
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5610 - Before 2 Plugin
The Seraphinite Accelerator WordPress plugin before 2.2.29 does not validate the URL to redirect any authenticated user to, leading to an arbitrary redirect
PLUGIN
Before 2
CVE-2023-5610
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5509 - Before 2 Plugin
The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.
PLUGIN
Before 2
CVE-2023-5509
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-5454 - Before 2 Plugin
The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts.
PLUGIN
Before 2
CVE-2023-5454
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-5181 - Before 2 Plugin
The WP Discord Invite WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-5181
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-5098 - Before 2 Plugin
The Campaign Monitor Forms by Optin Cat WordPress plugin before 2.5.6 does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS.
PLUGIN
Before 2
CVE-2023-5098
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4823 - Before 2 Plugin
The WP Meta and Date Remover WordPress plugin before 2.2.0 provides an AJAX endpoint for configuring the plugin settings. This endpoint has no capability checks and does not sanitize the user input, which is then later output unescaped. Allowing any authenticated users, such as subscriber change them and perform Stored Cross-Site Scripting.
PLUGIN
Before 2
CVE-2023-4823
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-4836 - Before 2 Plugin
The WordPress File Sharing Plugin WordPress plugin before 2.0.5 does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced
PLUGIN
Before 2
CVE-2023-4836
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-5133 - Before 2 Plugin
This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
PLUGIN
Before 2
CVE-2023-5133
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-5167 - Before 2 Plugin
The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-5167
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4776 - Before 2 Plugin
The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.
PLUGIN
Before 2
CVE-2023-4776
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4805 - Before 2 Plugin
The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-4805
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4290 - Before 2 Plugin
The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-4290
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4289 - Before 2 Plugin
The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2023-4289
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4388 - Before 2 Plugin
The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-4388
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4521 - Before 2 Plugin
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.
PLUGIN
Before 2
CVE-2023-4521
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4490 - Before 2 Plugin
The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
PLUGIN
Before 2
CVE-2023-4490
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4300 - Before 2 Plugin
The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.
PLUGIN
Before 2
CVE-2023-4300
Risk Score