Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-01
CVE-2023-7202 - Fatal Error Notify Plugin
The Fatal Error Notify WordPress plugin before 1.5.3 does not have authorisation and CSRF checks in its test_error AJAX action, allowing any authenticated users, such as subscriber to call it and spam the admin email address with error messages. The issue is also exploitable via CSRF
PLUGIN
Fatal Error Notify
CVE-2023-7202
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-7167 - Persian Fonts Plugin
The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Persian Fonts
CVE-2023-7167
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2024-0855 - Spiffy Calendar Plugin
The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
PLUGIN
Spiffy Calendar
CVE-2024-0855
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2023-7115 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-7115
Risk Score
Threat Entry
Updated 2025-05-01
CVE-2023-7198 - Wp Dashboard Notes Plugin
The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data.
PLUGIN
Wp Dashboard Notes
CVE-2023-7198
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1687 - Woocommerce Thank You Page Customizer Plugin
The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to unauthorized execution of shortcodes due to a missing capability check on the get_text_editor_content() function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Woocommerce Thank You Page Customizer
CVE-2024-1687
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1686 - Woocommerce Thank You Page Customizer Plugin
The Thank You Page Customizer for WooCommerce – Increase Your Sales plugin for WordPress is vulnerable to missing authorization e in all versions up to, and including, 1.1.2 via the apply_layout function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve arbitrary order data which may contain PII.
PLUGIN
Woocommerce Thank You Page Customizer
CVE-2024-1686
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1323 - Orbit Fox Plugin
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Orbit Fox
CVE-2024-1323
Risk Score
Threat Entry
Updated 2025-02-27
CVE-2024-1758 - Superfaktura Woocommerce Plugin
The SuperFaktura WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.40.3 via the wc_sf_url_check function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Superfaktura Woocommerce
CVE-2024-1758
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1165 - Brizy Plugin
The Brizy – Page Builder plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.39 via the 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files to arbitrary locations on the server
PLUGIN
Brizy
CVE-2024-1165
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1810 - Archivist Plugin
The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Archivist
CVE-2024-1810
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1362 - Colibri Page Builder Plugin
The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the cp_shortcode_refresh() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Colibri Page Builder
CVE-2024-1362
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1361 - Colibri Page Builder Plugin
The Colibri Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.253. This is due to missing or incorrect nonce validation on the apiCall() function. This makes it possible for unauthenticated attackers to call a limited set of functions that can be used to import images, delete posts, or save theme data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Colibri Page Builder
CVE-2024-1361
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1360 - Colibri Plugin
The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Colibri
CVE-2024-1360
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2023-4826 - Socialdriver Plugin
The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.
PLUGIN
Socialdriver
CVE-2023-4826
Risk Score
Threat Entry
Updated 2025-01-28
CVE-2024-1590 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button Widget in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pagelayer
CVE-2024-1590
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1779 - Admin Side Data Storage For Contact Form 7 Plugin
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_status() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter the message read status of messages.
PLUGIN
Admin Side Data Storage For Contact Form 7
CVE-2024-1779
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1778 - Admin Side Data Storage For Contact Form 7 Plugin
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the zt_dcfcf_change_bookmark() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to alter bookmark statuses.
PLUGIN
Admin Side Data Storage For Contact Form 7
CVE-2024-1778
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1777 - Admin Side Data Storage For Contact Form 7 Plugin
The Admin side data storage for Contact Form 7 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the settings update function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Admin Side Data Storage For Contact Form 7
CVE-2024-1777
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-0903 - Userfeedback Plugin
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_submitted' 'link' value in all versions up to, and including, 1.0.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the feedback submission page that will execute when a user clicks the link, while also pressing the command key.
PLUGIN
Userfeedback
CVE-2024-0903
Risk Score