Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-1888 - Changeset Plugin
The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges.
PLUGIN
Changeset
CVE-2023-1888
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1889 - Changeset Plugin
The Directorist plugin for WordPress is vulnerable to an Insecure Direct Object Reference in versions up to, and including, 7.5.4. This is due to improper validation and authorization checks within the listing_task function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.
PLUGIN
Changeset
CVE-2023-1889
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1843 - Changeset Plugin
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to unauthorized permalink structure update due to a missing capability check on the permalink_setup function in versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to change the permalink structure.
PLUGIN
Changeset
CVE-2023-1843
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1615 - Changeset Plugin
The Ultimate Addons for Contact Form 7 plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in versions up to, and including, 3.1.23. This makes it possible for authenticated attackers of any authorization level to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Changeset
CVE-2023-1615
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1430 - Changeset Plugin
The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.7.40 due to the use of an MD5 hash without a salt to control subscriptions. This makes it possible for unauthenticated attackers to unsubscribe users from lists and manage subscriptions, granted they gain access to any targeted subscribers email address.
PLUGIN
Changeset
CVE-2023-1430
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1169 - Changeset Plugin
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to missing authorization due to a missing capability check on the 'file_uploader_callback' function in versions up to, and including, 2.1.4. This makes it possible for subscriber-level attackers to upload image attachments to the site.
PLUGIN
Changeset
CVE-2023-1169
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0721 - Changeset Plugin
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to CSV injection in versions up to, and including, 3.3.0. This allows unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Changeset
CVE-2023-0721
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0709 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_last_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form…
PLUGIN
Changeset
CVE-2023-0709
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0708 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Cross-Site Scripting by using the 'mf_first_name' shortcode to echo unescaped form submissions in versions up to, and including, 3.3.0. This allows authenticated attackers, with contributor-level permissions or above, to inject arbitrary web scripts in pages that will execute when the victim visits a a page containing the shortcode when the submission id is present in the query string. Note that getting the JavaScript to execute requires user interaction as the victim must visit a crafted link with the form…
PLUGIN
Changeset
CVE-2023-0708
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0694 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about any standard form field of any form submission.
PLUGIN
Changeset
CVE-2023-0694
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0693 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_transaction_id' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the transaction ids of arbitrary form submissions that included payment.
PLUGIN
Changeset
CVE-2023-0693
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0692 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_payment_status' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about the payment status of arbitrary form submissions.
PLUGIN
Changeset
CVE-2023-0692
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0688 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_thankyou' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about form submissions, including payment status, and transaction ID.
PLUGIN
Changeset
CVE-2023-0688
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0691 - Changeset Plugin
The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_last_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, specifically the submitter's last name.
PLUGIN
Changeset
CVE-2023-0691
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0292 - Changeset Plugin
The Quiz And Survey Master plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.0.8. This is due to missing nonce validation on the function associated with the qsm_remove_file_fd_question AJAX action. This makes it possible for unauthenticated attackers to delete arbitrary media files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2023-0292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0291 - Changeset Plugin
The Quiz And Survey Master for WordPress is vulnerable to authorization bypass due to a missing capability check on the function associated with the qsm_remove_file_fd_question AJAX action in versions up to, and including, 8.0.8. This makes it possible for unauthenticated attackers to delete arbitrary media files.
PLUGIN
Changeset
CVE-2023-0291
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2986 - Changeset Plugin
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key…
PLUGIN
Changeset
CVE-2023-2986
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4382 - Changeset Plugin
The Recently plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the fetch_external_image() function in versions up to, and including, 3.0.4. This makes it possible for authenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Changeset
CVE-2021-4382
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4373 - Changeset Plugin
The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to import settings via forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2021-4373
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4377 - Changeset Plugin
The Doneren met Mollie plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.8.5 via the dmm_export_donations() function which is called via the admin_post_dmm_export hook due to missing capability checks. This can allow authenticated attackers to extract a CSV file that contains sensitive information about the donors.
PLUGIN
Changeset
CVE-2021-4377
Risk Score