Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-22305 - Kali Forms Plugin
Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.
PLUGIN
Kali Forms
CVE-2024-22305
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-1069 - Database For Contact Form 7 Wpforms Elementor Forms Plugin
The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Database For Contact Form 7 Wpforms Elementor Forms
CVE-2024-1069
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1061 - Html5 Video Player Plugin
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.
PLUGIN
Html5 Video Player
CVE-2024-1061
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2023-7074 - Wp Social Bookmark Menu Plugin
The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Wp Social Bookmark Menu
CVE-2023-7074
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6946 - Autotitle Plugin
The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Autotitle
CVE-2023-6946
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-6391 - Custom User Css Plugin
The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Custom User Css
CVE-2023-6391
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-6390 - Wordpress Users Plugin
The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Wordpress Users
CVE-2023-6390
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-7204 - Wp Staging Plugin
The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides
PLUGIN
Wp Staging
CVE-2023-7204
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2023-6279 - Woostify Sites Library Plugin
The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name
PLUGIN
Woostify Sites Library
CVE-2023-6279
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0212 - Cloudflare Plugin
The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication. The vulnerability enables attackers with a lower privileged account to access data from the Cloudflare API.
PLUGIN
Cloudflare
CVE-2024-0212
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-7082 - Import Any Xml Or Csv File To Plugin
The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. This may allows high privilege users such as administrator to upload an executable file type leading to remote code execution.
PLUGIN
Import Any Xml Or Csv File To
CVE-2023-7082
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2023-7063 - Wpforms Plugin
The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpforms
CVE-2023-7063
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2023-5041 - Track The Click Plugin
The Track The Click WordPress plugin before 0.3.12 does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database.
PLUGIN
Track The Click
CVE-2023-5041
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2024-0405 - Burst Statistics Plugin
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint. Affected parameters include 'browser', 'device', 'page_id', 'page_url', 'platform', and 'referrer'. This vulnerability arises due to insufficient escaping of user-supplied parameters and the lack of adequate preparation in SQL queries. As a result, authenticated attackers with editor access or higher can append additional SQL queries into existing ones, potentially leading to unauthorized access to sensitive information from the database.
PLUGIN
Burst Statistics
CVE-2024-0405
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-6373 - Before 2 Plugin
The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above. Note: Due to the lack of CSRF check, the issue could also be exploited via a CSRF against a logged editor (or above)
PLUGIN
Before 2
CVE-2023-6373
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-4536 - My Account Page Editor Plugin
The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE
PLUGIN
My Account Page Editor
CVE-2023-4536
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-5922 - Royal Elementor Addons And Templates Plugin
The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content
PLUGIN
Royal Elementor Addons And Templates
CVE-2023-5922
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-4703 - All In One B2b For Woocommerce Plugin
The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation.
PLUGIN
All In One B2b For Woocommerce
CVE-2023-4703
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-4797 - Before 4 Plugin
The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.
PLUGIN
Before 4
CVE-2023-4797
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-1405 - Formidable Forms Plugin
The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
PLUGIN
Formidable Forms
CVE-2023-1405
Risk Score