Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-19
CVE-2023-0335 - Through 4 Plugin
The WP Shamsi WordPress plugin through 4.3.3 has CSRF and broken access control vulnerabilities which leads user with role as low as subscriber delete attachment.
PLUGIN
Through 4
CVE-2023-0335
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0340 - Through 4 Plugin
The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.
PLUGIN
Through 4
CVE-2023-0340
Risk Score
Threat Entry
Updated 2025-02-26
CVE-2023-0273 - Through 4 Plugin
The Custom Content Shortcode WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Through 4
CVE-2023-0273
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2023-0066 - Through 4 Plugin
The Companion Sitemap Generator WordPress plugin through 4.5.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Through 4
CVE-2023-0066
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2023-0069 - Through 4 Plugin
The WPaudio MP3 Player WordPress plugin through 4.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Through 4
CVE-2023-0069
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2023-0147 - Through 4 Plugin
The Flexible Captcha WordPress plugin through 4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
PLUGIN
Through 4
CVE-2023-0147
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3096 - Through 4 Plugin
The WP Total Hacks WordPress plugin through 4.7.2 does not prevent low privilege users from modifying the plugin's settings. This could allow users such as subscribers to perform Stored Cross-Site Scripting attacks against other users, like administrators, due to the lack of sanitisation and escaping as well.
PLUGIN
Through 4
CVE-2022-3096
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2083 - Through 4 Plugin
The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
PLUGIN
Through 4
CVE-2022-2083
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2411 - Through 4 Plugin
The Auto More Tag WordPress plugin through 4.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Through 4
CVE-2022-2411
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1906 - Through 4 Plugin
The Copyright Proof WordPress plugin through 4.16 does not sanitise and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users, leading to a Reflected Cross-Site Scripting when a specific setting is enabled.
PLUGIN
Through 4
CVE-2022-1906
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1828 - Through 4 Plugin
The PDF24 Articles To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 4
CVE-2022-1828
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1827 - Through 4 Plugin
The PDF24 Article To PDF WordPress plugin through 4.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 4
CVE-2022-1827
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1788 - Through 4 Plugin
Due to missing checks the Change Uploaded File Permissions WordPress plugin through 4.0.0 is vulnerable to CSRF attacks. This can be used to change the file and folder permissions of any folder. This could be problematic when specific files like ini files are made readable for everyone due to this.
PLUGIN
Through 4
CVE-2022-1788
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1605 - Through 4 Plugin
The Email Users WordPress plugin through 4.8.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack and change the notification settings of arbitrary users
PLUGIN
Through 4
CVE-2022-1605
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1683 - Through 4 Plugin
The amtyThumb WordPress plugin through 4.2.0 does not sanitise and escape a parameter before using it in a SQL statement via its shortcode, leading to an SQL injection and is exploitable by any authenticated user (and not just Author+ like the original advisory mention) due to the fact that they can execute shortcodes via an AJAX action
PLUGIN
Through 4
CVE-2022-1683
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1103 - Through 4 Plugin
The Advanced Uploader WordPress plugin through 4.2 allows any authenticated users like subscriber to upload arbitrary files, such as PHP, which could lead to RCE
PLUGIN
Through 4
CVE-2022-1103
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24803 - Through 4 Plugin
The Core Tweaks WP Setup WordPress plugin through 4.1 allows to bulk-set many settings in WordPress, including the admin email, as well as creating a new admin account. There is no CSRF protection in place, allowing an attacker to arbitrary change the admin email or create another admin account and takeover the website via CSRF attacks
PLUGIN
Through 4
CVE-2021-24803
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24631 - Through 4 Plugin
The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection
PLUGIN
Through 4
CVE-2021-24631
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24487 - Through 4 Plugin
The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue
PLUGIN
Through 4
CVE-2021-24487
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24612 - Through 4 Plugin
The Sociable WordPress plugin through 4.3.4.1 does not sanitise or escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed
PLUGIN
Through 4
CVE-2021-24612
Risk Score