Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-3135 - Mailtree Log Mail Plugin
The Mailtree Log Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mailtree Log Mail
CVE-2023-3135
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3122 - Gd Mail Queue Plugin
The GD Mail Queue plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gd Mail Queue
CVE-2023-3122
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3093 - Yaysmtp Plugin
The YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yaysmtp
CVE-2023-3093
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3092 - Smtp Mail Plugin
The SMTP Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 1.2.16 due to insufficient input sanitization and output escaping when the 'Save Data SendMail' feature is enabled. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smtp Mail
CVE-2023-3092
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3088 - Wp Mail Log Plugin
The WP Mail Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Mail Log
CVE-2023-3088
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3087 - Fluentsmtp Plugin
The FluentSMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fluentsmtp
CVE-2023-3087
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-3082 - Post Smtp Plugin
The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Smtp
CVE-2023-3082
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3081 - Wp Mail Logging Plugin
The WP Mail Logging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 1.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: An incomplete fix was released in 1.11.1.
PLUGIN
Wp Mail Logging
CVE-2023-3081
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3080 - Wp Mail Catcher Plugin
The WP Mail Catcher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Mail Catcher
CVE-2023-3080
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3023 - Wp Easycart Plugin
The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Easycart
CVE-2023-3023
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2079 - Buy Me A Coffee Plugin
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for unauthenticated attackers to update the plugins settings, via a forged request granted the attacker can trick a site's administrator into performing an action such as clicking on a link.
PLUGIN
Buy Me A Coffee
CVE-2023-2079
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2078 - Buy Me A Coffee Plugin
The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the recieve_post, bmc_disconnect, name_post, and widget_post functions in versions up to, and including, 3.7. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to update the plugins settings. CVE-2023-25030 may be a duplicate of this issue.
PLUGIN
Buy Me A Coffee
CVE-2023-2078
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2493 - All In One Redirection Plugin
The All In One Redirection WordPress plugin before 2.2.0 does not properly sanitise and escape multiple parameters before using them in an SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
PLUGIN
All In One Redirection
CVE-2023-2493
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1597 - Tagdiv Cloud Library Plugin
The tagDiv Cloud Library WordPress plugin before 2.7 does not have authorisation and CSRF in an AJAX action accessible to both unauthenticated and authenticated users, allowing unauthenticated users to change arbitrary user metadata, which could lead to privilege escalation by setting themselves as an admin of the blog.
PLUGIN
Tagdiv Cloud Library
CVE-2023-1597
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1208 - This Http Headers Plugin
This HTTP Headers WordPress plugin before 1.18.11 allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.
PLUGIN
This Http Headers
CVE-2023-1208
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1273 - Nd Shortcodes Plugin
The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks
PLUGIN
Nd Shortcodes
CVE-2023-1273
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3133 - Before 2 Plugin
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.
PLUGIN
Before 2
CVE-2023-3133
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4401 - Style Kits Plugin
The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Style Kits
CVE-2021-4401
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3063 - Sp Project Document Manager Plugin
The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.
PLUGIN
Sp Project Document Manager
CVE-2023-3063
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3447 - Ldap Integration Plugin
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory.
PLUGIN
Ldap Integration
CVE-2023-3447
Risk Score