Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-04
CVE-2023-3179 - Before 2 Plugin
The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).
PLUGIN
Before 2
CVE-2023-3179
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2701 - Before 2 Plugin
The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin.
PLUGIN
Before 2
CVE-2023-2701
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3219 - Before 2 Plugin
The EventON WordPress plugin before 2.1.2 does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post.
PLUGIN
Before 2
CVE-2023-3219
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2493 - Before 2 Plugin
The All In One Redirection WordPress plugin before 2.2.0 does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 2
CVE-2023-2493
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2796 - Before 2 Plugin
The EventON WordPress plugin before 2.1.2 lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id.
PLUGIN
Before 2
CVE-2023-2796
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1597 - Before 2 Plugin
The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.
PLUGIN
Before 2
CVE-2023-1597
Risk Score
Threat Entry
Updated 2025-01-06
CVE-2023-1119 - Before 2 Plugin
The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
PLUGIN
Before 2
CVE-2023-1119
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3460 - Before 2 Plugin
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
PLUGIN
Before 2
CVE-2023-3460
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3133 - Before 2 Plugin
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.
PLUGIN
Before 2
CVE-2023-3133
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2842 - Before 2 Plugin
The WP Inventory Manager WordPress plugin before 2.1.0.14 does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack
PLUGIN
Before 2
CVE-2023-2842
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2601 - Before 2 Plugin
The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.
PLUGIN
Before 2
CVE-2023-2601
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2605 - Before 2 Plugin
The wpbrutalai WordPress plugin before 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.
PLUGIN
Before 2
CVE-2023-2605
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0588 - Before 2 Plugin
The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.
PLUGIN
Before 2
CVE-2023-0588
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2178 - Before 2 Plugin
The Aajoda Testimonials WordPress plugin before 2.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2023-2178
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0873 - Before 2 Plugin
The Kanban Boards for WordPress plugin before 2.5.21 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-0873
Risk Score
Threat Entry
Updated 2024-12-11
CVE-2023-2684 - Before 2 Plugin
The File Renaming on Upload WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-2684
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-2362 - Before 2 Plugin
The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder WordPress plugin before 2.5.6 do not escape the page parameter before outputting it back in an attribute, leading to…
PLUGIN
Before 2
CVE-2023-2362
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-2337 - Before 2 Plugin
The ConvertKit WordPress plugin before 2.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-2337
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2288 - Before 2 Plugin
The Otter WordPress plugin before 2.2.6 does not sanitize some user-controlled file paths before performing file operations on them. This leads to a PHAR deserialization vulnerability on PHP < 8.0 using the phar:// stream wrapper.
PLUGIN
Before 2
CVE-2023-2288
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2223 - Before 2 Plugin
The Login rebuilder WordPress plugin before 2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2023-2223
Risk Score