Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-08
CVE-2021-4414 - Changeset Plugin
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.8.5. This is due to missing or incorrect nonce validation on the wcal_preview_emails() function. This makes it possible for unauthenticated attackers to generate email preview templates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4414
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4409 - Changeset Plugin
The WooCommerce Etsy Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the etcpf_delete_feed() function. This makes it possible for unauthenticated attackers to delete an export feed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4409
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4401 - Changeset Plugin
The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4401
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4405 - Changeset Plugin
The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4405
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4404 - Changeset Plugin
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4404
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4393 - Changeset Plugin
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.17. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save manual digital orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4393
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4389 - Changeset Plugin
The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the save_meta_data() function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4389
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2834 - Changeset Plugin
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Changeset
CVE-2023-2834
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2982 - Changeset Plugin
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
PLUGIN
Changeset
CVE-2023-2982
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1602 - Changeset Plugin
The Short URL plugin for WordPress is vulnerable to stored Cross-Site Scripting via the 'comment' parameter due to insufficient input sanitization and output escaping in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Changeset
CVE-2023-1602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3407 - Changeset Plugin
The Subscribe2 plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.40. This is due to missing or incorrect nonce validation when sending test emails. This makes it possible for unauthenticated attackers to send test emails with custom content to users on sites running a vulnerable version of this plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2023-3407
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1844 - Changeset Plugin
The Subscribe2 plugin for WordPress is vulnerable to unauthorized access to email functionality due to a missing capability check when sending test emails in versions up to, and including, 10.40. This makes it possible for author-level attackers to send emails with arbitrary content and attachments to site users.
PLUGIN
Changeset
CVE-2023-1844
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3371 - Changeset Plugin
The User Registration plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'lock_content_form_handler' and 'display_password_form' function in versions up to, and including, 3.7.3. This makes it possible for unauthenticated attackers to decrypt and view the password protected content.
PLUGIN
Changeset
CVE-2023-3371
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3197 - Changeset Plugin
The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Changeset
CVE-2023-3197
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3387 - Changeset Plugin
The Lana Text to Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lana_text_to_image' and 'lana_text_to_img' shortcode in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Changeset
CVE-2023-3387
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3325 - Changeset Plugin
The CMS Commander plugin for WordPress is vulnerable to authorization bypass due to the use of an insufficiently unique cryptographic signature on the 'cmsc_add_site' function in versions up to, and including, 2.287. This makes it possible for unauthenticated attackers to the plugin to change the '_cmsc_public_key' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation. This can only be exploited if the plugin has not been configured yet, however, if combined with another…
PLUGIN
Changeset
CVE-2023-3325
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2278 - Changeset Plugin
The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Changeset
CVE-2023-2278
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2277 - Changeset Plugin
The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2023-2277
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2896 - Changeset Plugin
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2023-2896
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2895 - Changeset Plugin
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2023-2895
Risk Score