Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-12
CVE-2023-0232 - Before 2 Plugin
The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection.
PLUGIN
Before 2
CVE-2023-0232
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0556 - Contentstudio Plugin
The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin's contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other requirements to posting and updating.
PLUGIN
Contentstudio
CVE-2023-0556
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-23489 - Easy Digital Downloads Plugin
The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0.3, is affected by an unauthenticated SQL injection vulnerability in the 's' parameter of its 'edd_download_search' action.
PLUGIN
Easy Digital Downloads
CVE-2023-23489
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-23488 - Paid Memberships Pro Plugin
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
PLUGIN
Paid Memberships Pro
CVE-2023-23488
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2021-24649 - Wp User Frontend Plugin
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin
PLUGIN
Wp User Frontend
CVE-2021-24649
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2022-3254 - Wordpress Classifieds Plugin
The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection
PLUGIN
Wordpress Classifieds
CVE-2022-3254
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2022-3708 - Web Stories Plugin
The Web Stories plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including 1.24.0 due to insufficient validation of URLs supplied via the 'url' parameter found via the /v1/hotlink/proxy REST API Endpoint. This makes it possible for authenticated users to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Web Stories
CVE-2022-3708
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-36898 - Quiz And Survey Master Plugin
Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin
PLUGIN
Quiz And Survey Master
CVE-2021-36898
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-3393 - Post To Csv By Bestwebsoft Plugin
The Post to CSV by BestWebSoft WordPress plugin through 1.4.0 does not properly escape fields when exporting data as CSV, leading to a CSV injection
PLUGIN
Post To Csv By Bestwebsoft
CVE-2022-3393
Risk Score
Threat Entry
Updated 2025-02-20
CVE-2022-36386 - Wp All Import Plugin
Authenticated Arbitrary Code Execution vulnerability in Soflyy Import any XML or CSV File to WordPress plugin
PLUGIN
Wp All Import
CVE-2022-36386
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2840 - Zephyr Project Manager Plugin
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
PLUGIN
Zephyr Project Manager
CVE-2022-2840
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2754 - Ketchup Restaurant Reservations Plugin
The Ketchup Restaurant Reservations WordPress plugin through 1.0.0 does not validate and escape some reservation parameters before using them in SQL statements, which could allow unauthenticated attackers to perform SQL Injection attacks
PLUGIN
Ketchup Restaurant Reservations
CVE-2022-2754
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-34858 - Oauth 2 0 Client For Sso Plugin
Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin
PLUGIN
Oauth 2 0 Client For Sso
CVE-2022-34858
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-34149 - Wp Oauth Server Plugin
Authentication Bypass vulnerability in miniOrange WP OAuth Server plugin
PLUGIN
Wp Oauth Server
CVE-2022-34149
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2314 - Vr Calendar Plugin
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site.
PLUGIN
Vr Calendar
CVE-2022-2314
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2180 - Greyd Suite Plugin
The GREYD.SUITE WordPress theme does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE).
PLUGIN
Greyd Suite
CVE-2022-2180
Risk Score
Threat Entry
Updated 2025-09-03
CVE-2022-2460 - Before 7 Plugin
The WPDating WordPress plugin before 7.4.0 does not properly escape user input before concatenating it to certain SQL queries, leading to multiple SQL injection vulnerabilities exploitable by unauthenticated users
PLUGIN
Before 7
CVE-2022-2460
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2269 - Website File Changes Monitor Plugin
The Website File Changes Monitor WordPress plugin before 1.8.3 does not sanitise and escape user input before using it in a SQL statement via an action available to users with the manage_options capability (by default admins), leading to an SQL injection
PLUGIN
Website File Changes Monitor
CVE-2022-2269
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2317 - Simple Membership Plugin
The Simple Membership WordPress plugin before 4.1.3 allows user to change their membership at the registration stage due to insufficient checking of a user supplied parameter.
PLUGIN
Simple Membership
CVE-2022-2317
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1950 - Before 1 Plugin
The Youzify WordPress plugin before 1.2.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to an unauthenticated SQL injection
PLUGIN
Before 1
CVE-2022-1950
Risk Score