Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-10
CVE-2024-3076 - Mm Email2image Plugin
The MM-email2image WordPress plugin through 0.2.5 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Mm Email2image
CVE-2024-3076
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-2972 - Before 3 Plugin
The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2024-2972
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-31254 - Backup And Migration Plugin
Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.7.
PLUGIN
Backup And Migration
CVE-2024-31254
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2023-5775 - Backwpup Plugin
The BackWPup plugin for WordPress is vulnerable to Plaintext Storage of Backup Destination Password in all versions up to, and including, 4.0.2. This is due to to the plugin improperly storing backup destination passwords in plaintext. This makes it possible for authenticated attackers, with administrator-level access, to retrieve the password from the password input field in the UI or from the options table where the password is stored.
PLUGIN
Backwpup
CVE-2023-5775
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0628 - Wp Rss Aggregator Plugin
The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Wp Rss Aggregator
CVE-2024-0628
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-1075 - Minimal Coming Soon Maintenance Mode Plugin
The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.
PLUGIN
Minimal Coming Soon Maintenance Mode
CVE-2024-1075
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-23825 - Tablepress Plugin
TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5.
PLUGIN
Tablepress
CVE-2024-23825
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-2252 - Before 7 Plugin
The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files.
PLUGIN
Before 7
CVE-2023-2252
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-7048 - My Sticky Bar Plugin
The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window…
PLUGIN
My Sticky Bar
CVE-2023-7048
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-37867 - Yet Another Stars Rating Plugin
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in YetAnotherStarsRating.Com YASR – Yet Another Star Rating Plugin for WordPress.This issue affects YASR – Yet Another Star Rating Plugin for WordPress: from n/a through 3.3.8.
PLUGIN
Yet Another Stars Rating
CVE-2023-37867
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6160 - Lifterlms Plugin
The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 7.4.2 via the maybe_serve_export function. This makes it possible for authenticated attackers, with administrator or LMS manager access and above, to read the contents of arbitrary CSV files on the server, which can contain sensitive information as well as removing those files from the server.
PLUGIN
Lifterlms
CVE-2023-6160
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6164 - Mainwp Plugin
The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to CSS Injection via the ‘newColor’ parameter in all versions up to, and including, 4.5.1.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary CSS values into the site tags.
PLUGIN
Mainwp
CVE-2023-6164
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4506 - Ldap Login For Intranet Sites Plugin
The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 4.1.10. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
PLUGIN
Ldap Login For Intranet Sites
CVE-2023-4506
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4505 - Ldap Ad Staff Employee Directory Search Plugin
The Staff / Employee Business Directory for Active Directory plugin for WordPress is vulnerable to LDAP Passback in versions up to, and including, 1.2.3. This is due to insufficient validation when changing the LDAP server. This makes it possible for authenticated attackers, with administrative access and above, to change the LDAP server and retrieve the credentials for the original LDAP server.
PLUGIN
Ldap Ad Staff Employee Directory Search
CVE-2023-4505
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4216 - Orders Tracking For Woocommerce Plugin
The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.
PLUGIN
Orders Tracking For Woocommerce
CVE-2023-4216
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3947 - Video Conferencing With Zoom Plugin
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.
PLUGIN
Video Conferencing With Zoom
CVE-2023-3947
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-4428 - Autosuggest Plugin
A vulnerability has been found in what3words Autosuggest Plugin up to 4.0.0 on WordPress and classified as problematic. Affected by this vulnerability is the function enqueue_scripts of the file w3w-autosuggest/public/class-w3w-autosuggest-public.php of the component Setting Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 4.0.1 is able to address this issue. The patch is named dd59cbac5f86057d6a73b87007c08b8bfa0c32ac. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-234247.
PLUGIN
Autosuggest
CVE-2021-4428
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3209 - Before 3 Plugin
The MStore API WordPress plugin before 3.9.7 does not secure most of its AJAX actions by implementing privilege checks, nonce checks, or a combination of both.
PLUGIN
Before 3
CVE-2023-3209
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2010 - Before 1 Plugin
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll.
PLUGIN
Before 1
CVE-2023-2010
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2897 - Brizy Plugin
The Brizy Page Builder plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.4.18. This is due to an implicit trust of user-supplied IP addresses in an 'X-Forwarded-For' HTTP header for the purpose of validating allowed IP addresses against a Maintenance Mode whitelist. Supplying a whitelisted IP address within the 'X-Forwarded-For' header allows maintenance mode to be bypassed and may result in the disclosure of potentially sensitive information or allow access to restricted functionality.
PLUGIN
Brizy
CVE-2023-2897
Risk Score