Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-2321 - Before 3 Plugin
The WPForms Google Sheet Connector WordPress plugin before 3.4.6, gsheetconnector-wpforms-pro WordPress plugin through 3.4.6 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2023-2321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2628 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)
PLUGIN
Before 3
CVE-2023-2628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2624 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator
PLUGIN
Before 3
CVE-2023-2624
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2627 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings
PLUGIN
Before 3
CVE-2023-2627
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2032 - Before 3 Plugin
The Custom 404 Pro WordPress plugin before 3.8.1 does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.
PLUGIN
Before 3
CVE-2023-2032
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2592 - Before 3 Plugin
The FormCraft WordPress plugin before 3.9.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-2592
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2623 - Before 3 Plugin
The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users
PLUGIN
Before 3
CVE-2023-2623
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2023-2719 - Before 3 Plugin
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the `id` parameter for an Agent in the REST API before using it in an SQL statement, leading to an SQL Injection exploitable by users with a role as low as Subscriber.
PLUGIN
Before 3
CVE-2023-2719
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2805 - Before 3 Plugin
The SupportCandy WordPress plugin before 3.1.7 does not properly sanitise and escape the agents[] parameter in the set_add_agent_leaves AJAX function before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-2805
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2812 - Before 3 Plugin
The Ultimate Dashboard WordPress plugin before 3.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2023-2812
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2023-2221 - Before 3 Plugin
The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Admin.
PLUGIN
Before 3
CVE-2023-2221
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2398 - Before 3 Plugin
The Icegram Engage WordPress plugin before 3.1.12 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2023-2398
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-2362 - Before 3 Plugin
The Float menu WordPress plugin before 5.0.2, Bubble Menu WordPress plugin before 3.0.4, Button Generator WordPress plugin before 2.3.5, Calculator Builder WordPress plugin before 1.5.1, Counter Box WordPress plugin before 1.2.2, Floating Button WordPress plugin before 5.3.1, Herd Effects WordPress plugin before 5.2.2, Popup Box WordPress plugin before 2.2.2, Side Menu Lite WordPress plugin before 4.0.2, Sticky Buttons WordPress plugin before 3.1.1, Wow Skype Buttons WordPress plugin before 4.0.2, WP Coder WordPress plugin before 2.5.6 do not escape the page parameter before outputting it back in an attribute, leading to…
PLUGIN
Before 3
CVE-2023-2362
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-2572 - Before 3 Plugin
The Survey Maker WordPress plugin before 3.4.7 does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2023-2572
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2023-2472 - Before 3 Plugin
The Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue WordPress plugin before 3.1.61 does not sanitise and escape a parameter before outputting it back in the admin dashboard when the WPML plugin is also active and configured, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2023-2472
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-0329 - Before 3 Plugin
The Elementor Website Builder WordPress plugin before 3.12.2 does not properly sanitize and escape the Replace URL parameter in the Tools module before using it in a SQL statement, leading to a SQL injection exploitable by users with the Administrator role.
PLUGIN
Before 3
CVE-2023-0329
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-1524 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.71 does not adequately validate passwords for password-protected files. Upon validation, a master key is generated and exposed to the user, which may be used to download any password-protected file on the server, allowing a user to download any file with the knowledge of any one file's password.
PLUGIN
Before 3
CVE-2023-1524
Risk Score
Threat Entry
Updated 2025-01-09
CVE-2023-2023 - Before 3 Plugin
The Custom 404 Pro WordPress plugin before 3.7.3 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
PLUGIN
Before 3
CVE-2023-2023
Risk Score
Threat Entry
Updated 2025-01-10
CVE-2023-2113 - Before 3 Plugin
The Autoptimize WordPress plugin before 3.1.7 does not sanitise and escape the settings imported from a previous export, allowing high privileged users (such as an administrator) to inject arbitrary javascript into the admin panel, even when the unfiltered_html capability is disabled, such as in a multisite setup.
PLUGIN
Before 3
CVE-2023-2113
Risk Score
Threat Entry
Updated 2025-01-14
CVE-2023-1835 - Before 3 Plugin
The Ninja Forms Contact Form WordPress plugin before 3.6.22 does not properly escape user input before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 3
CVE-2023-1835
Risk Score