Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-10
CVE-2023-2287 - Before 2 Plugin
The Orbit Fox by ThemeIsle WordPress plugin before 2.10.24 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.
PLUGIN
Before 2
CVE-2023-2287
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2111 - Before 2 Plugin
The Fast & Effective Popups & Lead-Generation for WordPress plugin before 2.1.4 concatenates user input into an SQL query without escaping it first in the plugin's report API endpoint, which could allow administrators in multi-site configuration to leak sensitive information from the site's database.
PLUGIN
Before 2
CVE-2023-2111
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2023-1549 - Before 2 Plugin
The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
PLUGIN
Before 2
CVE-2023-1549
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-1806 - Before 2 Plugin
The WP Inventory Manager WordPress plugin before 2.1.0.12 does not sanitise and escape the message parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators.
PLUGIN
Before 2
CVE-2023-1806
Risk Score
Threat Entry
Updated 2025-01-29
CVE-2023-1905 - Before 2 Plugin
The WP Popups WordPress plugin before 2.1.5.1 does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. This is due to an insufficient fix of CVE-2023-24003
PLUGIN
Before 2
CVE-2023-1905
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2023-0948 - Before 2 Plugin
The Japanized For WooCommerce WordPress plugin before 2.5.8 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2023-0948
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1805 - Before 2 Plugin
The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1.1 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-1805
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1804 - Before 2 Plugin
The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1.1 does not sanitise and escape the edit parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrators.
PLUGIN
Before 2
CVE-2023-1804
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1546 - Before 2 Plugin
The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2023-1546
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-0891 - Before 2 Plugin
The StagTools WordPress plugin before 2.3.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0891
Risk Score
Threat Entry
Updated 2025-01-30
CVE-2023-1090 - Before 2 Plugin
The SMTP Mailing Queue WordPress plugin before 2.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-1090
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2023-1624 - Before 2 Plugin
The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders
PLUGIN
Before 2
CVE-2023-1624
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-1371 - Before 2 Plugin
The W4 Post List WordPress plugin before 2.4.6 does not ensure that password protected posts can be accessed before displaying their content, which could allow any authenticated users to access them
PLUGIN
Before 2
CVE-2023-1371
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-1373 - Before 2 Plugin
The W4 Post List WordPress plugin before 2.4.6 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting
PLUGIN
Before 2
CVE-2023-1373
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-1282 - Before 2 Plugin
The Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard WordPress plugin before 2.11.1 and Drag and Drop Multiple File Upload PRO - Contact Form 7 with Remote Storage Integrations WordPress plugin before 5.0.6.4 do not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
PLUGIN
Before 2
CVE-2023-1282
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-0889 - Before 2 Plugin
Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administrator
PLUGIN
Before 2
CVE-2023-0889
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-0374 - Before 2 Plugin
The W4 Post List WordPress plugin before 2.4.6 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0374
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1425 - Before 2 Plugin
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins
PLUGIN
Before 2
CVE-2023-1425
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1122 - Before 2 Plugin
The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its Giveaways options, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-1122
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1121 - Before 2 Plugin
The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-1121
Risk Score