Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-11
CVE-2023-1120 - Before 2 Plugin
The Simple Giveaways WordPress plugin before 2.45.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 2
CVE-2023-1120
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0823 - Before 2 Plugin
The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.4.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2023-0823
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0504 - Before 2 Plugin
The HT Politic WordPress plugin before 2.3.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
PLUGIN
Before 2
CVE-2023-0504
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0501 - Before 2 Plugin
The WP Insurance WordPress plugin before 2.1.4 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
PLUGIN
Before 2
CVE-2023-0501
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0336 - Before 2 Plugin
The OoohBoi Steroids for Elementor WordPress plugin before 2.1.5 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber to delete attachment.
PLUGIN
Before 2
CVE-2023-0336
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0631 - Before 2 Plugin
The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.
PLUGIN
Before 2
CVE-2023-0631
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2023-0772 - Before 2 Plugin
The Popup Builder by OptinMonster WordPress plugin before 2.12.2 does not ensure that the campaign to be loaded via some shortcodes is actually a campaign, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, like draft, private or even password protected ones.
PLUGIN
Before 2
CVE-2023-0772
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2023-0749 - Before 2 Plugin
The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template, allowing any authenticated users such as subscriber to retrieve the content of arbitrary posts, such as draft, private or even password protected ones.
PLUGIN
Before 2
CVE-2023-0749
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0219 - Before 2 Plugin
The FluentSMTP WordPress plugin before 2.2.3 does not sanitize or escape email content, making it vulnerable to stored cross-site scripting attacks (XSS) when an administrator views the email logs. This exploit requires other plugins to enable users to send emails with unfiltered HTML.
PLUGIN
Before 2
CVE-2023-0219
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2023-0844 - Before 2 Plugin
The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2023-0844
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-0328 - Before 2 Plugin
The WPCode WordPress plugin before 2.0.7 does not have adequate privilege checks in place for several AJAX actions, only checking the nonce. This may lead to allowing any authenticated user who can edit posts to call the endpoints related to WPCode Library authentication (such as update and delete the auth key).
PLUGIN
Before 2
CVE-2023-0328
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0487 - Before 2 Plugin
The My Sticky Elements WordPress plugin before 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin
PLUGIN
Before 2
CVE-2023-0487
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0535 - Before 2 Plugin
The Donation Block For PayPal WordPress plugin before 2.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0535
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0548 - Before 2 Plugin
The Namaste! LMS WordPress plugin before 2.5.9.4 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2023-0548
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2023-0543 - Before 2 Plugin
The Arigato Autoresponder and Newsletter WordPress plugin before 2.1.7.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 2
CVE-2023-0543
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0278 - Before 2 Plugin
The GeoDirectory WordPress plugin before 2.2.24 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 2
CVE-2023-0278
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0232 - Before 2 Plugin
The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection.
PLUGIN
Before 2
CVE-2023-0232
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0231 - Before 2 Plugin
The ShopLentor WordPress plugin before 2.5.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0231
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0067 - Before 2 Plugin
The Timed Content WordPress plugin before 2.73 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2023-0067
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-0220 - Before 2 Plugin
The Pinpoint Booking System WordPress plugin before 2.9.9.2.9 does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.
PLUGIN
Before 2
CVE-2023-0220
Risk Score