Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-14
CVE-2024-3239 - Before 4 Plugin
The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.0.2 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-3239
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-1076 - Before 4 Plugin
The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX.
PLUGIN
Before 4
CVE-2024-1076
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-3476 - Before 4 Plugin
The Side Menu Lite WordPress plugin before 4.2.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Before 4
CVE-2024-3476
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2024-3474 - Before 4 Plugin
The Wow Skype Buttons WordPress plugin before 4.0.4 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting buttons via CSRF attacks
PLUGIN
Before 4
CVE-2024-3474
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2024-1846 - Before 4 Plugin
The Responsive Tabs WordPress plugin before 4.0.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 4
CVE-2024-1846
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2023-7164 - Before 4 Plugin
The BackWPup WordPress plugin before 4.0.4 does not prevent Directory Listing in its temporary backup folder, allowing unauthenticated attackers to download backups of a site's database.
PLUGIN
Before 4
CVE-2023-7164
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-1106 - Before 4 Plugin
The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-1106
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-0855 - Before 4 Plugin
The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
PLUGIN
Before 4
CVE-2024-0855
Risk Score
Threat Entry
Updated 2025-04-24
CVE-2023-6294 - Before 4 Plugin
The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.
PLUGIN
Before 4
CVE-2023-6294
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-7200 - Before 4 Plugin
The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2023-7200
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-7199 - Before 4 Plugin
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request
PLUGIN
Before 4
CVE-2023-7199
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2024-0238 - Before 4 Plugin
The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.
PLUGIN
Before 4
CVE-2024-0238
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-0233 - Before 4 Plugin
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2024-0233
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-0236 - Before 4 Plugin
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)
PLUGIN
Before 4
CVE-2024-0236
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-0235 - Before 4 Plugin
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
PLUGIN
Before 4
CVE-2024-0235
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-4797 - Before 4 Plugin
The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.
PLUGIN
Before 4
CVE-2023-4797
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5558 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 4
CVE-2023-5558
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-6005 - Before 4 Plugin
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2023-6005
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-0479 - Before 4 Plugin
The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding.
PLUGIN
Before 4
CVE-2023-0479
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6623 - Before 4 Plugin
The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.
PLUGIN
Before 4
CVE-2023-6623
Risk Score