Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-30
CVE-2023-1730 - Before 3 Plugin
The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks
PLUGIN
Before 3
CVE-2023-1730
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1274 - Before 3 Plugin
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks
PLUGIN
Before 3
CVE-2023-1274
Risk Score
Threat Entry
Updated 2025-03-03
CVE-2023-0367 - Before 3 Plugin
The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-0367
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1478 - Before 3 Plugin
The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module.
PLUGIN
Before 3
CVE-2023-1478
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1406 - Before 3 Plugin
The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.
PLUGIN
Before 3
CVE-2023-1406
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-0874 - Before 3 Plugin
The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2023-0874
Risk Score
Threat Entry
Updated 2025-02-14
CVE-2023-0399 - Before 3 Plugin
The Image Over Image For WPBakery Page Builder WordPress plugin before 3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0399
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0660 - Before 3 Plugin
The Smart Slider 3 WordPress plugin before 3.5.1.14 does not properly validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-0660
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0441 - Before 3 Plugin
The Gallery Blocks with Lightbox WordPress plugin before 3.0.8 has an AJAX endpoint that can be accessed by any authenticated users, such as subscriber. The callback function allows numerous actions, the most serious one being reading and updating the WordPress options which could be used to enable registration with a default administrator user role.
PLUGIN
Before 3
CVE-2023-0441
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0477 - Before 3 Plugin
The Auto Featured Image (Auto Post Thumbnail) WordPress plugin before 3.9.16 includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.
PLUGIN
Before 3
CVE-2023-0477
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0377 - Before 3 Plugin
The Scriptless Social Sharing WordPress plugin before 3.2.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0377
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0334 - Before 3 Plugin
The ShortPixel Adaptive Images WordPress plugin before 3.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against any high privilege users such as admin
PLUGIN
Before 3
CVE-2023-0334
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2023-0552 - Before 3 Plugin
The Registration Forms WordPress plugin before 3.8.2.3 does not properly validate the redirection URL when logging in and login out, leading to an Open Redirect vulnerability
PLUGIN
Before 3
CVE-2023-0552
Risk Score
Threat Entry
Updated 2025-03-10
CVE-2023-0279 - Before 3 Plugin
The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-0279
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0428 - Before 3 Plugin
The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-0428
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2023-0380 - Before 3 Plugin
The Easy Digital Downloads WordPress plugin before 3.1.0.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0380
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0375 - Before 3 Plugin
The Easy Affiliate Links WordPress plugin before 3.7.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embedded, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0375
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0429 - Before 3 Plugin
The Watu Quiz WordPress plugin before 3.3.8.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2023-0429
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-0262 - Before 3 Plugin
The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
PLUGIN
Before 3
CVE-2023-0262
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-0333 - Before 3 Plugin
The TemplatesNext ToolKit WordPress plugin before 3.2.9 does not validate some of its shortcode attributes before using them to generate an HTML tag, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-0333
Risk Score