Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-01-28
CVE-2023-0268 - Before 4 Plugin
The Mega Addons For WPBakery Page Builder WordPress plugin before 4.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2023-0268
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2023-1435 - Before 4 Plugin
The Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2023-1435
Risk Score
Threat Entry
Updated 2025-03-18
CVE-2023-1420 - Before 4 Plugin
The Ajax Search Lite WordPress plugin before 4.11.1, Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2023-1420
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2023-0765 - Before 4 Plugin
The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.
PLUGIN
Before 4
CVE-2023-0765
Risk Score
Threat Entry
Updated 2025-02-06
CVE-2023-0764 - Before 4 Plugin
The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not perform proper sanitization of gallery information, leading to a Stored Cross-Site Scription vulnerability. The attacker must have at least the privileges of the Author role.
PLUGIN
Before 4
CVE-2023-0764
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-1381 - Before 4 Plugin
The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.
PLUGIN
Before 4
CVE-2023-1381
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-0546 - Before 4 Plugin
The Contact Form Plugin WordPress plugin before 4.3.25 does not properly sanitize and escape the srcdoc attribute in iframes in it's custom HTML field type, allowing a logged in user with roles as low as contributor to inject arbitrary javascript into a form which will trigger for any visitor to the form or admins previewing or editing the form.
PLUGIN
Before 4
CVE-2023-0546
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0467 - Before 4 Plugin
The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanitize the style parameter in shortcodes before using it to load a PHP template. This leads to Local File Inclusion on servers where non-existent directories may be traversed, or when chained with another vulnerability allowing arbitrary directory creation.
PLUGIN
Before 4
CVE-2023-0467
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0875 - Before 4 Plugin
The WP Meta SEO WordPress plugin before 4.5.3 does not properly sanitize and escape inputs into SQL queries, leading to a blind SQL Injection vulnerability that can be exploited by subscriber+ users.
PLUGIN
Before 4
CVE-2023-0875
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0630 - Before 4 Plugin
The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.
PLUGIN
Before 4
CVE-2023-0630
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0876 - Before 4 Plugin
The WP Meta SEO WordPress plugin before 4.5.3 does not authorize several ajax actions, allowing low-privilege users to make updates to certain data and leading to an arbitrary redirect vulnerability.
PLUGIN
Before 4
CVE-2023-0876
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2023-0285 - Before 4 Plugin
The Real Media Library WordPress plugin before 4.18.29 does not sanitise and escape the created folder names, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2023-0285
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-0255 - Before 4 Plugin
The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
PLUGIN
Before 4
CVE-2023-0255
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2023-0275 - Before 4 Plugin
The Easy Accept Payments for PayPal WordPress plugin before 4.9.10 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2023-0275
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0062 - Before 4 Plugin
The EAN for WooCommerce WordPress plugin before 4.4.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2023-0062
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3254 - Before 4 Plugin
The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection
PLUGIN
Before 4
CVE-2022-3254
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3360 - Before 4 Plugin
The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function.
PLUGIN
Before 4
CVE-2022-3360
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2022-2834 - Before 4 Plugin
The Helpful WordPress plugin before 4.5.26 puts the exported logs and feedbacks in a publicly accessible location and guessable names, which could allow attackers to download them and retrieve sensitive information such as IP, Names and Email Address depending on the plugin's settings
PLUGIN
Before 4
CVE-2022-2834
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3154 - Before 4 Plugin
The Woo Billingo Plus WordPress plugin before 4.4.5.4, Integration for Billingo & Gravity Forms WordPress plugin before 1.0.4, Integration for Szamlazz.hu & Gravity Forms WordPress plugin before 1.2.7 are lacking CSRF checks in various AJAX actions, which could allow attackers to make logged in Shop Managers and above perform unwanted actions, such as deactivate the plugin's license
PLUGIN
Before 4
CVE-2022-3154
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3208 - Before 4 Plugin
The Simple File List WordPress plugin before 4.4.12 does not implement nonce checks, which could allow attackers to make a logged in admin create new page and change it's content via a CSRF attack.
PLUGIN
Before 4
CVE-2022-3208
Risk Score