Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-12
CVE-2023-5204 - Wpbot Plugin
The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpbot
CVE-2023-5204
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4666 - Form Maker By 10web Plugin
The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE
PLUGIN
Form Maker By 10web
CVE-2023-4666
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5201 - Openhook Plugin
The OpenHook plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.3.0 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server. This requires the [php] shortcode setting to be enabled on the vulnerable site.
PLUGIN
Openhook
CVE-2023-5201
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4521 - Import Xml And Rss Feeds Plugin
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version.
PLUGIN
Import Xml And Rss Feeds
CVE-2023-4521
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4490 - Wp Job Portal Plugin
The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users
PLUGIN
Wp Job Portal
CVE-2023-4490
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4994 - Allow Php In Posts And Pages Plugin
The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server.
PLUGIN
Allow Php In Posts And Pages
CVE-2023-4994
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4634 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and remote code execution possible.
PLUGIN
Media Library Assistant
CVE-2023-4634
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3162 - Stripe Payment Plugin For Woocommerce
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.
PLUGIN
Stripe Payment Plugin For Woocommerce
CVE-2023-3162
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4596 - Forminator Plugin
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Forminator
CVE-2023-4596
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4404 - Charitable Plugin
The Donation Forms by Charitable plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.7.0.12 due to insufficient restriction on the 'update_core_user' function. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.
PLUGIN
Charitable
CVE-2023-4404
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3435 - User Activity Log Plugin
The User Activity Log WordPress plugin before 1.6.5 does not correctly sanitise and escape several parameters before using it in a SQL statement as part of its exportation feature, allowing unauthenticated attackers to conduct SQL injection attacks.
PLUGIN
User Activity Log
CVE-2023-3435
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3452 - Canto Plugin
The Canto plugin for WordPress is vulnerable to Remote File Inclusion in versions up to, and including, 3.0.4 via the 'wp_abspath' parameter. This allows unauthenticated attackers to include and execute arbitrary remote code on the server, provided that allow_url_include is enabled. Local File Inclusion is also possible, albeit less useful because it requires that the attacker be able to upload a malicious php file via FTP or some other means into a directory readable by the web server.
PLUGIN
Canto
CVE-2023-3452
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3956 - Instawp Connect Plugin
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
PLUGIN
Instawp Connect
CVE-2023-3956
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3186 - Popup By Supsystic Plugin
The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties into Object.prototype.
PLUGIN
Popup By Supsystic
CVE-2023-3186
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3342 - User Registration Plugin
The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1.
PLUGIN
User Registration
CVE-2023-3342
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3077 - Before 3 Plugin
The MStore API WordPress plugin before 3.9.8 does not sanitise and escape a parameter before using it in a SQL statement, leading to a Blind SQL injection exploitable by unauthenticated users. This is only exploitable if the site owner elected to pay to get access to the plugins' pro features, and uses the woocommerce-appointments plugin.
PLUGIN
Before 3
CVE-2023-3077
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3076 - Before 3 Plugin
The MStore API WordPress plugin before 3.9.9 does not prevent visitors from creating user accounts with the role of their choice via their wholesale REST API endpoint. This is only exploitable if the site owner paid to access the plugin's pro features.
PLUGIN
Before 3
CVE-2023-3076
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3460 - Ultimate Member Plugin
The Ultimate Member WordPress plugin before 2.6.7 does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild.
PLUGIN
Ultimate Member
CVE-2023-3460
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3249 - Web3 Crypto Wallet Login Nft Token Gating Plugin
The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
PLUGIN
Web3 Crypto Wallet Login Nft Token Gating
CVE-2023-3249
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2834 - Bookit Plugin
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
PLUGIN
Bookit
CVE-2023-2834
Risk Score