Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-4799 - Before 3 Plugin
The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-4799
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5343 - Before 3 Plugin
The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 3
CVE-2023-5343
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5530 - Before 3 Plugin
The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor acknowledged and fixed the issue
PLUGIN
Before 3
CVE-2023-5530
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-5228 - Before 3 Plugin
The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2023-5228
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2023-5238 - Before 3 Plugin
The EventPrime WordPress plugin before 3.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to an HTML Injection on the plugin in the search area of the website.
PLUGIN
Before 3
CVE-2023-5238
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5458 - Before 3 Plugin
The CITS Support svg, webp Media and TTF,OTF File Upload WordPress plugin before 3.0 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Before 3
CVE-2023-5458
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-5519 - Before 3 Plugin
The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.
PLUGIN
Before 3
CVE-2023-5519
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-4250 - Before 3 Plugin
The EventPrime WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-4250
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4390 - Before 3 Plugin
The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
PLUGIN
Before 3
CVE-2023-4390
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2023-4251 - Before 3 Plugin
The EventPrime WordPress plugin before 3.2.0 does not have CSRF checks when creating bookings, which could allow attackers to make logged in users create unwanted bookings via CSRF attacks.
PLUGIN
Before 3
CVE-2023-4251
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4950 - Before 3 Plugin
The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks
PLUGIN
Before 3
CVE-2023-4950
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4933 - Before 3 Plugin
The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.
PLUGIN
Before 3
CVE-2023-4933
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-4800 - Before 3 Plugin
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users.
PLUGIN
Before 3
CVE-2023-4800
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3154 - Before 3 Plugin
The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.
PLUGIN
Before 3
CVE-2023-3154
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3155 - Before 3 Plugin
The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.
PLUGIN
Before 3
CVE-2023-3155
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3279 - Before 3 Plugin
The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks
PLUGIN
Before 3
CVE-2023-3279
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3392 - Before 3 Plugin
The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
PLUGIN
Before 3
CVE-2023-3392
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2023-4549 - Before 3 Plugin
The DoLogin Security WordPress plugin before 3.7 does not properly sanitize IP addresses coming from the X-Forwarded-For header, which can be used by attackers to conduct Stored XSS attacks via WordPress' login form.
PLUGIN
Before 3
CVE-2023-4549
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4476 - Before 3 Plugin
The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2023-4476
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2023-4631 - Before 3 Plugin
The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.
PLUGIN
Before 3
CVE-2023-4631
Risk Score