Threat Entry Updated 2026-04-15

CVE-2026-0722 - Shield Security Plugin

The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Shield Security

CVE-2026-0722

MEDIUM CVSS 6.5 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0561 - Shield Security Plugin

The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Shield Security

CVE-2026-0561

MEDIUM CVSS 6.1 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-17

CVE-2024-7313 - Shield Security Plugin

The Shield Security WordPress plugin before 20.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Shield Security

CVE-2024-7313

MEDIUM CVSS 6.1 2024-08-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6989 - Shield Security Plugin

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

PLUGIN Shield Security

CVE-2023-6989

CRITICAL CVSS 9.8 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-0993 - Shield Security Plugin

The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the 'theme-plugin-file' AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.

PLUGIN Shield Security

CVE-2023-0993

MEDIUM CVSS 4.3 2023-06-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-0992 - Shield Security Plugin

The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the 'User-Agent' header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shield Security

CVE-2023-0992

HIGH CVSS 7.2 2023-06-09

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-0211 - Shield Security Plugin

The Shield Security WordPress plugin before 13.0.6 does not sanitise and escape admin notes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

PLUGIN Shield Security

CVE-2022-0211

MEDIUM CVSS 4.8 2022-02-21

Risk Score

Open Full Technical Breakdown