Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-2982 - Wordpress Social Login And Register Discord Google Twitter Linkedin Plugin
The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.
PLUGIN
Wordpress Social Login And Register Discord Google Twitter Linkedin
CVE-2023-2982
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2601 - Before 2 Plugin
The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.
PLUGIN
Before 2
CVE-2023-2601
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2068 - File Manager Advanced Shortcode Plugin
The File Manager Advanced Shortcode WordPress plugin through 2.3.2 does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to RCE in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users.
PLUGIN
File Manager Advanced Shortcode
CVE-2023-2068
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2032 - Custom 404 Pro Plugin
The Custom 404 Pro WordPress plugin before 3.8.1 does not properly sanitize database inputs, leading to multiple SQL Injection vulnerabilities.
PLUGIN
Custom 404 Pro
CVE-2023-2032
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3197 - Mstore Api Plugin
The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Mstore Api
CVE-2023-3197
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2278 - Wp Directory Kit Plugin
The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Wp Directory Kit
CVE-2023-2278
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2986 - Abandoned Cart Lite For Woocommerce Plugin
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key…
PLUGIN
Abandoned Cart Lite For Woocommerce
CVE-2023-2986
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4380 - Pinterest Automatic Pin Plugin
The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
PLUGIN
Pinterest Automatic Pin
CVE-2021-4380
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4381 - Ulisting Plugin
The uListing plugin for WordPress is vulnerable to authorization bypass via wp_route due to missing capability checks, and a missing security nonce, in the StmListingSingleLayout::import_new_layout method in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database.
PLUGIN
Ulisting
CVE-2021-4381
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4374 - Wordpress Automatic Plugin
The WordPress Automatic Plugin for WordPress is vulnerable to arbitrary options updates in versions up to, and including, 3.53.2. This is due to missing authorization and option validation in the process_form.php file. This makes it possible for unauthenticated attackers to arbitrarily update the settings of a vulnerable site and ultimately compromise the entire site.
PLUGIN
Wordpress Automatic
CVE-2021-4374
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4368 - Frontend File Manager Plugin
The Frontend File Manager plugin for WordPress is vulnerable to Authenticated Settings Change in versions up to, and including, 18.2. This is due to lacking capability checks and a security nonce, all on the wpfm_save_settings AJAX action. This makes it possible for subscriber-level attackers to edit the plugin settings, such as the allowed upload file types. This can lead to remote code execution through other vulnerabilities.
PLUGIN
Frontend File Manager
CVE-2021-4368
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4360 - Controlled Admin Access Plugin
The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. This makes it possible for attackers to create a new administrator role with unrestricted access.
PLUGIN
Controlled Admin Access
CVE-2021-4360
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4370 - Ulisting Plugin
The uListing plugin for WordPress is vulnerable to authorization bypass as most actions and endpoints are accessible to unauthenticated users, lack security nonces, and data is seldom validated. This issue exists in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to conduct numerous administrative actions, including those less critical than the explicitly outlined ones in our detection.
PLUGIN
Ulisting
CVE-2021-4370
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4362 - Kiwi Social Share Plugin
The Kiwi Social Share plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the kiwi_social_share_get_option() function called via the kiwi_social_share_get_option AJAX action in version 2.1.0. This makes it possible for unauthenticated attackers to read and modify arbitrary options on a WordPress site that can be used for complete site takeover. This was a previously fixed vulnerability that was reintroduced in this version.
PLUGIN
Kiwi Social Share
CVE-2021-4362
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4357 - Ulisting Plugin
The uListing plugin for WordPress is vulnerable to authorization bypass due to missing capability checks, and a missing security nonce, on the UlistingUserRole::save_role_api function in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to arbitrarily delete site posts and pages.
PLUGIN
Ulisting
CVE-2021-4357
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4356 - Frontend File Manager Plugin
The Frontend File Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Download in versions up to, and including, 18.2. This is due to lacking authentication protections, capability checks, and sanitization, all on the wpfm_file_meta_update AJAX action. This makes it possible for unauthenticated attackers to download arbitrary files on the site, potentially leading to site takeover.
PLUGIN
Frontend File Manager
CVE-2021-4356
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4347 - Advanced Shipment Tracking For Woocommerce Plugin
The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue.
PLUGIN
Advanced Shipment Tracking For Woocommerce
CVE-2021-4347
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4346 - Ulisting Plugin
The uListing plugin for WordPress is vulnerable to Unauthenticated Arbitrary Account Changes in versions up to, and including, 1.6.6. This is due to missing login checks on the stm_listing_profile_edit AJAX action. This makes it possible for unauthenticated attackers to edit any account on the blog, such as changing the admin account's email address.
PLUGIN
Ulisting
CVE-2021-4346
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4343 - Ulisting Plugin
The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is due to the stm_listing_register AJAX action function being accessible and taking roles unprotected. This makes it possible for unauthenticated attackers to create accounts, even those with administrator privileges.
PLUGIN
Ulisting
CVE-2021-4343
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4341 - Ulisting Plugin
The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data AJAX action in versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to change any WordPress option in the database.
PLUGIN
Ulisting
CVE-2021-4341
Risk Score