Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-21
CVE-2023-0169 - Before 3 Plugin
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0169
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0252 - Before 3 Plugin
The Contextual Related Posts WordPress plugin before 3.3.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-0252
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2023-0144 - Before 3 Plugin
The Event Manager and Tickets Selling Plugin for WooCommerce WordPress plugin before 3.8.0 does not validate and escape some of its post meta before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2023-0144
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2021-24881 - Before 3 Plugin
The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by the plugin, and access arbitrary posts (such as private) content, by sending a specifically crafted request.
PLUGIN
Before 3
CVE-2021-24881
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24837 - Before 3 Plugin
The Passster WordPress plugin before 3.5.5.8 does not escape the area parameter of its shortcode, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2021-24837
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2021-24649 - Before 3 Plugin
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin
PLUGIN
Before 3
CVE-2021-24649
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3357 - Before 3 Plugin
The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site.
PLUGIN
Before 3
CVE-2022-3357
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3420 - Before 3 Plugin
The Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 3
CVE-2022-3420
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3150 - Before 3 Plugin
The WP Custom Cursors WordPress plugin before 3.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privileged users such as admin
PLUGIN
Before 3
CVE-2022-3150
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3149 - Before 3 Plugin
The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when creating and editing cursors, which could allow attackers to made a logged in admin perform such actions via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping in some of the cursor options, it could also lead to Stored Cross-Site Scripting
PLUGIN
Before 3
CVE-2022-3149
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3206 - Before 3 Plugin
The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.
PLUGIN
Before 3
CVE-2022-3206
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2022-3151 - Before 3 Plugin
The WP Custom Cursors WordPress plugin before 3.0.1 does not have CSRF check in place when deleting cursors, which could allow attackers to made a logged in admin delete arbitrary cursors via a CSRF attack.
PLUGIN
Before 3
CVE-2022-3151
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2823 - Before 3 Plugin
The Slider, Gallery, and Carousel by MetaSlider WordPress plugin before 3.27.9 does not sanitise and escape some of its Gallery Image parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2022-2823
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2629 - Before 3 Plugin
The Top Bar WordPress plugin before 3.0.4 does not sanitise and escape some of its settings before outputting them in frontend pages, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2022-2629
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2839 - Before 3 Plugin
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
PLUGIN
Before 3
CVE-2022-2839
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-3119 - Before 3 Plugin
The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address
PLUGIN
Before 3
CVE-2022-3119
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2022-2987 - Before 3 Plugin
The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication
PLUGIN
Before 3
CVE-2022-2987
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-2903 - Before 3 Plugin
The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
PLUGIN
Before 3
CVE-2022-2903
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-2926 - Before 3 Plugin
The Download Manager WordPress plugin before 3.2.55 does not validate one of its settings, which could allow high privilege users such as admin to list and read arbitrary files and folders outside of the blog directory
PLUGIN
Before 3
CVE-2022-2926
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2022-3070 - Before 3 Plugin
The Generate PDF WordPress plugin before 3.6 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
PLUGIN
Before 3
CVE-2022-3070
Risk Score