Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-4142 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4142
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4141 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4141
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4139 - Wp Ultimate Csv Importer Plugin
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sensitive Information Exposure via Directory Listing due to missing restriction in export folder indexing in versions up to, and including, 7.9.8. This makes it possible for unauthenticated attackers to list and view exported files.
PLUGIN
Wp Ultimate Csv Importer
CVE-2023-4139
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-37977 - Wpfunnels Plugin
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin
PLUGIN
Wpfunnels
CVE-2023-37977
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2761 - User Activity Log Plugin
The User Activity Log WordPress plugin before 1.6.3 does not properly sanitise and escape the `txtsearch` parameter before using it in a SQL statement in some admin pages, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
User Activity Log
CVE-2023-2761
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3813 - Jupiter X Core Plugin
The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to download the contents of arbitrary files on the server, which can contain sensitive information. The requires the premium version of the plugin to be activated.
PLUGIN
Jupiter X Core
CVE-2023-3813
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3713 - Profilegrid Plugin
The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation.
PLUGIN
Profilegrid
CVE-2023-3713
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3714 - Profilegrid Plugin
The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'edit_group' handler in versions up to, and including, 5.5.2. This makes it possible for authenticated attackers, with group ownership, to update group options, including the 'associate_role' parameter, which defines the member's role. This issue was partially patched in version 5.5.2 preventing privilege escalation, however, it was fully patched in 5.5.3.
PLUGIN
Profilegrid
CVE-2023-3714
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3459 - Import Export Wordpress Users Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hf_update_customer' function called via an AJAX action in versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with shop manager-level permissions to change user passwords and potentially take over administrator accounts.
PLUGIN
Import Export Wordpress Users
CVE-2023-3459
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-3179 - Post Smtp Mailer Plugin
The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).
PLUGIN
Post Smtp Mailer
CVE-2023-3179
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2636 - An Gradebook Plugin
The AN_GradeBook WordPress plugin through 5.0.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber
PLUGIN
An Gradebook
CVE-2023-2636
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2330 - Before 1 Plugin
The Caldera Forms Google Sheets Connector WordPress plugin before 1.3 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
PLUGIN
Before 1
CVE-2023-2330
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2329 - Before 1 Plugin
The WooCommerce Google Sheet Connector WordPress plugin before 1.3.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack
PLUGIN
Before 1
CVE-2023-2329
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3343 - User Registration Plugin
The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
PLUGIN
User Registration
CVE-2023-3343
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3105 - Learndash Plugin
The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.
PLUGIN
Learndash
CVE-2023-3105
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3525 - Getnet Argentina Para Woocommerce Plugin
The Getnet Argentina para Woocommerce plugin for WordPress is vulnerable to authorization bypass due to missing validation on the 'webhook' function in versions up to, and including, 0.0.4. This makes it possible for unauthenticated attackers to set their payment status to 'APPROVED' without payment.
PLUGIN
Getnet Argentina Para Woocommerce
CVE-2023-3525
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3168 - Wp Reroute Email Plugin
The WP Reroute Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Reroute Email
CVE-2023-3168
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3167 - Mail Queue Plugin
The Mail Queue plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mail Queue
CVE-2023-3167
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3166 - Lana Email Logger Plugin
The Lana Email Logger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, Lana Email Logger due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lana Email Logger
CVE-2023-3166
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3158 - Mail Control Plugin
The Mail Control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 0.2.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mail Control
CVE-2023-3158
Risk Score