Threat Entry Updated 2025-05-07

CVE-2024-0566 - Before 8 Plugin

The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

PLUGIN Before 8

CVE-2024-0566

HIGH CVSS 7.2 2024-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-11

CVE-2023-6824 - Before 8 Plugin

The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.

PLUGIN Before 8

CVE-2023-6824

MEDIUM CVSS 6.5 2024-01-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-20

CVE-2023-6741 - Before 8 Plugin

The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

PLUGIN Before 8

CVE-2023-6741

MEDIUM CVSS 4.3 2024-01-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-18

CVE-2023-6529 - Before 8 Plugin

The WP VR WordPress plugin before 8.3.15 does not authorisation and CSRF in a function hooked to admin_init, allowing unauthenticated users to downgrade the plugin, thus leading to Reflected or Stored XSS, as previous versions have such vulnerabilities.

PLUGIN Before 8

CVE-2023-6529

MEDIUM CVSS 6.1 2024-01-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-04-23

CVE-2023-3575 - Before 8 Plugin

The Quiz And Survey Master WordPress plugin before 8.1.11 does not properly sanitize and escape question titles, which could allow users with the Contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Before 8

CVE-2023-3575

MEDIUM CVSS 5.4 2023-08-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-0439 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.

PLUGIN Before 8

CVE-2023-0439

MEDIUM CVSS 5.4 2023-07-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-14

CVE-2023-0233 - Before 8 Plugin

The ActiveCampaign WordPress plugin before 8.1.12 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Before 8

CVE-2023-0233

MEDIUM CVSS 5.4 2023-05-15

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-04

CVE-2023-2114 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.

PLUGIN Before 8

CVE-2023-2114

HIGH CVSS 7.2 2023-05-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-04

CVE-2023-1414 - Before 8 Plugin

The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours

PLUGIN Before 8

CVE-2023-1414

MEDIUM CVSS 4.3 2023-04-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-04-23

CVE-2023-1413 - Before 8 Plugin

The WP VR WordPress plugin before 8.2.9 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 8

CVE-2023-1413

MEDIUM CVSS 6.1 2023-04-17

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-19

CVE-2023-0272 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.3.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Before 8

CVE-2023-0272

MEDIUM CVSS 5.4 2023-03-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-03-25

CVE-2023-0174 - Before 8 Plugin

The WP VR WordPress plugin before 8.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 8

CVE-2023-0174

MEDIUM CVSS 5.4 2023-02-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-03-25

CVE-2023-0081 - Before 8 Plugin

The MonsterInsights WordPress plugin before 8.12.1 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 8

CVE-2023-0081

MEDIUM CVSS 5.4 2023-02-06

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-3209 - Before 8 Theme

The soledad WordPress theme before 8.2.5 does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.

THEME Before 8

CVE-2022-3209

MEDIUM CVSS 6.1 2022-10-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-22

CVE-2022-3074 - Before 8 Plugin

The Slider Hero WordPress plugin before 8.4.4 does not escape the slider Name, which could allow high-privileged users to perform Cross-Site Scripting attacks.

PLUGIN Before 8

CVE-2022-3074

MEDIUM CVSS 4.8 2022-09-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-1239 - Before 8 Plugin

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks

PLUGIN Before 8

CVE-2022-1239

HIGH CVSS 8.8 2022-05-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0429 - Before 8 Plugin

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability.

PLUGIN Before 8

CVE-2022-0429

MEDIUM CVSS 6.1 2022-03-07

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-03-20

CVE-2021-25115 - Before 8 Plugin

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.

PLUGIN Before 8

CVE-2021-25115

MEDIUM CVSS 6.4 2022-02-14

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-25040 - Before 8 Plugin

The Booking Calendar WordPress plugin before 8.9.2 does not sanitise and escape the booking_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 8

CVE-2021-25040

MEDIUM CVSS 6.1 2022-01-03

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2021-24705 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.4.3 does not have CSRF checks in place when editing a form, and does not escape some of its settings as well as form fields before outputting them in attributes. This could allow attackers to make a logged in admin edit arbitrary forms with Cross-Site Scripting payloads in them

PLUGIN Before 8

CVE-2021-24705

MEDIUM CVSS 4.8 2021-12-13

Risk Score

Open Full Technical Breakdown