Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-22
CVE-2023-4238 - Before 2 Plugin
The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.
PLUGIN
Before 2
CVE-2023-4238
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4281 - Before 2 Plugin
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
PLUGIN
Before 2
CVE-2023-4281
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4376 - Before 2 Plugin
The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-4376
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4314 - Before 2 Plugin
The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite.
PLUGIN
Before 2
CVE-2023-4314
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-4284 - Before 2 Plugin
The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-4284
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2813 - Before 2 Theme
All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2, BunnyPressLite WordPress theme before 2.1, Cafe Bistro WordPress theme before 1.1.4, College WordPress theme before 1.5.1, Connections Reloaded WordPress theme through 3.1, Counterpoint WordPress theme through 1.8.1, Digitally WordPress theme through 1.0.8, Directory WordPress theme before 3.0.2, Drop WordPress theme before 1.22, Everse WordPress theme before 1.2.4, Fashionable…
THEME
Before 2
CVE-2023-2813
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1977 - Before 2 Plugin
The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network.
PLUGIN
Before 2
CVE-2023-1977
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2123 - Before 2 Plugin
The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.
PLUGIN
Before 2
CVE-2023-2123
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1110 - Before 2 Plugin
The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2023-1110
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2023-0274 - Before 2 Plugin
The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0274
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3721 - Before 2 Plugin
The WP-EMail WordPress plugin before 2.69.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-3721
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3645 - Before 2 Plugin
The Contact Form Builder by Bit Form WordPress plugin before 2.2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-3645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2606 - Before 2 Plugin
The WP Brutal AI WordPress plugin before 2.06 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2023-2606
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3601 - Before 2 Plugin
The Simple Author Box WordPress plugin before 2.52 does not verify a user ID before outputting information about that user, leading to arbitrary user information disclosure to users with a role as low as Contributor.
PLUGIN
Before 2
CVE-2023-3601
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3524 - Before 2 Plugin
The WPCode WordPress plugin before 2.0.13.1 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2023-3524
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3508 - Before 2 Plugin
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks
PLUGIN
Before 2
CVE-2023-3508
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3507 - Before 2 Plugin
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack
PLUGIN
Before 2
CVE-2023-3507
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3292 - Before 2 Plugin
The grid-kit-premium WordPress plugin before 2.2.0 does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-3292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2309 - Before 2 Plugin
The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.
PLUGIN
Before 2
CVE-2023-2309
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3248 - Before 2 Plugin
The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-3248
Risk Score