Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-41804 - Starter Templates Plugin
Server-Side Request Forgery (SSRF) vulnerability in Brainstorm Force Starter Templates — Elementor, WordPress & Beaver Builder Templates.This issue affects Starter Templates — Elementor, WordPress & Beaver Builder Templates: from n/a through 3.2.4.
PLUGIN
Starter Templates
CVE-2023-41804
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-5953 - Welcart E Commerce Plugin
The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server
PLUGIN
Welcart E Commerce
CVE-2023-5953
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6063 - Wp Fastest Cache Plugin
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
PLUGIN
Wp Fastest Cache
CVE-2023-6063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5762 - Before 1 Plugin
The Filr WordPress plugin before 1.2.3.6 is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges.
PLUGIN
Before 1
CVE-2023-5762
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5108 - Easy Newsletter Signups Plugin
The Easy Newsletter Signups WordPress plugin through 1.0.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
PLUGIN
Easy Newsletter Signups
CVE-2023-5108
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6360 - My Calendar Plugin
The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an unauthenticated SQL injection vulnerability in the 'from' and 'to' parameters in the '/my-calendar/v1/events' rest route.
PLUGIN
My Calendar
CVE-2023-6360
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-46086 - Affiliate Toolkit Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin allows Reflected XSS.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.4.3.
PLUGIN
Affiliate Toolkit
CVE-2023-46086
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-38474 - Campaign Monitor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Campaign Monitor Campaign Monitor for WordPress allows Reflected XSS.This issue affects Campaign Monitor for WordPress: from n/a through 2.8.12.
PLUGIN
Campaign Monitor
CVE-2023-38474
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-48322 - Employee Job Application Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eDoc Intelligence eDoc Employee Job Application – Best WordPress Job Manager for Employees allows Reflected XSS.This issue affects eDoc Employee Job Application – Best WordPress Job Manager for Employees: from n/a through 1.13.
PLUGIN
Employee Job Application
CVE-2023-48322
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6219 - Bookingpress Plugin
The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'bookingpress_process_upload' function in versions up to, and including, 1.0.76. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Bookingpress
CVE-2023-6219
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5906 - Before 1 Plugin
The Job Manager & Career WordPress plugin before 1.4.4 contains a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users without their permission.
PLUGIN
Before 1
CVE-2023-5906
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5239 - Malware Scan By Cleantalk Plugin
The Security & Malware scan by CleanTalk WordPress plugin before 2.121 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass bruteforce protection.
PLUGIN
Malware Scan By Cleantalk
CVE-2023-5239
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6009 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.4 due to insufficient restriction on the 'userpro_update_user_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
PLUGIN
Userpro
CVE-2023-6009
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5822 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if a user authorized to edit form, which means editor privileges or above, has added a 'multiple file upload' form field with '*' acceptable file types.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2023-5822
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6007 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
PLUGIN
Userpro
CVE-2023-6007
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5815 - News Blog Designer Pack Plugin
The News & Blog Designer Pack – WordPress Blog Plugin — (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post Ticker, Blog Post Masonry) plugin for WordPress is vulnerable to Remote Code Execution via Local File Inclusion in all versions up to, and including, 3.4.1 via the bdp_get_more_post function hooked via a nopriv AJAX. This is due to function utilizing an unsafe extract() method to extract values from the POST variable and passing that input to the include() function. This makes it possible for unauthenticated attackers to include…
PLUGIN
News Blog Designer Pack
CVE-2023-5815
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5466 - Wp Anything Slider Plugin
The Wp anything slider plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Anything Slider
CVE-2023-5466
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5465 - Popup With Fancybox Plugin
The Popup with fancybox plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Popup With Fancybox
CVE-2023-5465
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2841 - Advanced Local Pickup For Woocommerce Plugin
The Advanced Local Pickup for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in versions up to, and including, 1.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with admin-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Advanced Local Pickup For Woocommerce
CVE-2023-2841
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2497 - Userpro Plugin
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'import_settings' function. This makes it possible for unauthenticated attackers to exploit PHP Object Injection due to the use of unserialize() on the user supplied parameter via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Userpro
CVE-2023-2497
Risk Score