Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-12
CVE-2024-2583 - Before 7 Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate WordPress plugin before 7.0.5 does not properly escape some of its shortcodes attributes before they are echoed back to users, making it possible for users with the contributor role to conduct Stored XSS attacks.
PLUGIN
Before 7
CVE-2024-2583
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6290 - Before 7 Plugin
The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 7
CVE-2023-6290
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-2252 - Before 7 Plugin
The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files.
PLUGIN
Before 7
CVE-2023-2252
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3936 - Before 7 Plugin
The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 7
CVE-2023-3936
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1273 - Before 7 Plugin
The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks
PLUGIN
Before 7
CVE-2023-1273
Risk Score
Threat Entry
Updated 2024-12-12
CVE-2023-2779 - Before 7 Plugin
The Social Share, Social Login and Social Comments WordPress plugin before 7.13.52 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 7
CVE-2023-2779
Risk Score
Threat Entry
Updated 2025-02-11
CVE-2023-0983 - Before 7 Plugin
The stylish-cost-calculator-premium WordPress plugin before 7.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Stored Cross-Site Scripting which could be used against admins when viewing submissions submitted through the Email Quote Form.
PLUGIN
Before 7
CVE-2023-0983
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0263 - Before 7 Plugin
The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.
PLUGIN
Before 7
CVE-2023-0263
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0082 - Before 7 Plugin
The ExactMetrics WordPress plugin before 7.12.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 7
CVE-2023-0082
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2763 - Before 7 Plugin
The WP Socializer WordPress plugin before 7.3 does not sanitise and escape some of its Icons settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 7
CVE-2022-2763
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2022-1613 - Before 7 Plugin
The Restricted Site Access WordPress plugin before 7.3.2 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations in certain situations.
PLUGIN
Before 7
CVE-2022-1613
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3142 - Before 7 Plugin
The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.
PLUGIN
Before 7
CVE-2022-3142
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2877 - Before 7 Plugin
The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.
PLUGIN
Before 7
CVE-2022-2877
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2376 - Before 7 Plugin
The Directorist WordPress plugin before 7.3.1 discloses the email address of all users in an AJAX action available to both unauthenticated and any authenticated users
PLUGIN
Before 7
CVE-2022-2376
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2377 - Before 7 Plugin
The Directorist WordPress plugin before 7.3.0 does not have authorisation and CSRF checks in an AJAX action, allowing any authenticated users to send arbitrary emails on behalf of the blog
PLUGIN
Before 7
CVE-2022-2377
Risk Score
Threat Entry
Updated 2025-09-03
CVE-2022-2460 - Before 7 Plugin
The WPDating WordPress plugin before 7.4.0 does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities exploitable by unauthenticated users
PLUGIN
Before 7
CVE-2022-2460
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2046 - Before 7 Plugin
The Directorist WordPress plugin before 7.2.3 allows administrators to download other plugins from the same vendor directly to the site, but does not check the URL domain it gets the zip files from. This could allow administrators to run code on the server, which is a problem in multisite configurations.
PLUGIN
Before 7
CVE-2022-2046
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2184 - Before 7 Plugin
The CAPTCHA 4WP WordPress plugin before 7.1.0 lets user input reach a sensitive require_once call in one of its admin-side templates. This can be abused by attackers, via a Cross-Site Request Forgery attack to run arbitrary code on the server.
PLUGIN
Before 7
CVE-2022-2184
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1889 - Before 7 Plugin
The Newsletter WordPress plugin before 7.4.6 does not escape and sanitise the preheader_text setting, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfilteredhtml is disallowed
PLUGIN
Before 7
CVE-2022-1889
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1756 - Before 7 Plugin
The Newsletter WordPress plugin before 7.4.5 does not sanitize and escape the $_SERVER['REQUEST_URI'] before echoing it back in admin pages. Although this uses addslashes, and most modern browsers automatically URLEncode requests, this is still vulnerable to Reflected XSS in older browsers such as Internet Explorer 9 or below.
PLUGIN
Before 7
CVE-2022-1756
Risk Score