Threat Entry Updated 2024-11-21

CVE-2023-6701 - Advanced Custom Fields Plugin

The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom text field in all versions up to, and including, 6.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Advanced Custom Fields

CVE-2023-6701

MEDIUM CVSS 6.4 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6526 - Meta Box Plugin

The Meta Box – WordPress Custom Fields Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta values displayed through the plugin's shortcode in all versions up to, and including, 5.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Meta Box

CVE-2023-6526

MEDIUM CVSS 6.4 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-6557 - The Events Calendar Plugin

The The Events Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.2.8.2 via the route function hooked into wp_ajax_nopriv_tribe_dropdown. This makes it possible for unauthenticated attackers to extract potentially sensitive data including post titles and IDs of pending, private and draft posts.

PLUGIN The Events Calendar

CVE-2023-6557

MEDIUM CVSS 5.3 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-4637 - Migration Backup Staging Plugin

The WPvivid plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the restore() and get_restore_progress() function in versions up to, and including, 0.9.94. This makes it possible for unauthenticated attackers to invoke these functions and obtain full file paths if they have access to a back-up ID.

PLUGIN Migration Backup Staging

CVE-2023-4637

MEDIUM CVSS 4.3 2024-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-16

CVE-2024-0909 - Anonymous Restricted Content Plugin

The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2. This is due to insufficient restrictions through the REST API on the posts/pages that protections are being place on. This makes it possible for unauthenticated attackers to access protected content.

PLUGIN Anonymous Restricted Content

CVE-2024-0909

MEDIUM CVSS 5.3 2024-02-03

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0895 - Pdf Flipbook 3d Flipbook Plugin

The PDF Flipbook, 3D Flipbook – DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to, and including, 2.2.26 due to insufficient input sanitization and output escaping on user supplied data. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pdf Flipbook 3d Flipbook

CVE-2024-0895

MEDIUM CVSS 5.4 2024-02-03

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0963 - Calculated Fields Form Plugin

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Calculated Fields Form

CVE-2024-0963

MEDIUM CVSS 6.4 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-08-15

CVE-2024-0844 - Ai Popup Plugin

The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Local File Inclusion in version 2.1.6 via the ycfChangeElementData() function. This makes it possible for authenticated attackers, with administrator-level access and above, to include and execute arbitrary files ending with "Form.php" on the server , allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Ai Popup

CVE-2024-0844

MEDIUM CVSS 4.7 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1047 - Orbit Fox Plugin

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28. This makes it possible for unauthenticated attackers to update the connected API keys.

PLUGIN Orbit Fox

CVE-2024-1047

MEDIUM CVSS 5.3 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1162 - Orbit Fox Plugin

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Orbit Fox

CVE-2024-1162

MEDIUM CVSS 4.3 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-1073 - Slimstat Analytics Plugin

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Slimstat Analytics

CVE-2024-1073

MEDIUM CVSS 6.4 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0685 - Ninja Forms Plugin

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to inject SQL in their email address that will append additional into the already existing query when an administrator triggers a personal data export.

PLUGIN Ninja Forms

CVE-2024-0685

MEDIUM CVSS 5.9 2024-02-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-51506 - Wordpress Currency Switcher Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WPCS – WordPress Currency Switcher Professional allows Stored XSS.This issue affects WPCS – WordPress Currency Switcher Professional: from n/a through 1.2.0.

PLUGIN Wordpress Currency Switcher

CVE-2023-51506

MEDIUM CVSS 5.5 2024-02-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-51536 - Crm Perks Forms Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2.

PLUGIN Crm Perks Forms

CVE-2023-51536

MEDIUM CVSS 5.9 2024-02-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-51532 - Icegram Engage Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.

PLUGIN Icegram Engage

CVE-2023-51532

MEDIUM CVSS 6.5 2024-02-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-7069 - Advanced Iframe Plugin

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-24870 is likely a duplicate of this issue.

PLUGIN Advanced Iframe

CVE-2023-7069

MEDIUM CVSS 6.4 2024-02-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-22150 - Powerfolio Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | PowerFolio: from n/a through 3.1.

PLUGIN Powerfolio

CVE-2024-22150

MEDIUM CVSS 6.5 2024-01-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-22304 - Freshmail For Wordpress Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.

PLUGIN Freshmail For Wordpress

CVE-2024-22304

MEDIUM CVSS 5.4 2024-01-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-0836 - Review Schema Plugin

The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify arbitrary reviews.

PLUGIN Review Schema

CVE-2024-0836

MEDIUM CVSS 4.3 2024-01-31

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-2439 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Userpro

CVE-2023-2439

MEDIUM CVSS 6.4 2024-01-31

Risk Score

Open Full Technical Breakdown