Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-7225 - Mappress Plugin
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the width and height parameters in all versions up to, and including, 2.88.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mappress
CVE-2023-7225
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-7200 - Before 4 Plugin
The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 4
CVE-2023-7200
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-6389 - Wordpress Toolbar Plugin
The WordPress Toolbar WordPress plugin through 2.2.6 redirects to any URL via the "wptbto" parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Wordpress Toolbar
CVE-2023-6389
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-6278 - Before 2 Plugin
The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin before 2.2.25 does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2023-6278
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-7089 - Easy Svg Support Plugin
The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Easy Svg Support
CVE-2023-7089
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-6530 - Tj Shortcodes Plugin
The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Tj Shortcodes
CVE-2023-6530
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6503 - Wp Plugin Lister
The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Wp Plugin Lister
CVE-2023-6503
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-7199 - Relevanssi Premium Plugin
The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request
PLUGIN
Relevanssi Premium
CVE-2023-7199
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2023-6165 - Restrict Usernames Emails Characters Plugin
The Restrict Usernames Emails Characters WordPress plugin before 3.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Restrict Usernames Emails Characters
CVE-2023-6165
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2023-5956 - Wp Adv Quiz Plugin
The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wp Adv Quiz
CVE-2023-5956
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-5943 - Before 1 Plugin
The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 1
CVE-2023-5943
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2023-5124 - Before 1 Plugin
The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.
PLUGIN
Before 1
CVE-2023-5124
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6633 - Side Notes Plugin
The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks
PLUGIN
Side Notes
CVE-2023-6633
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0618 - Contact Form Plugin
The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Contact Form
CVE-2024-0618
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0697 - Backuply Plugin
The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.3 via the node_id parameter in the backuply_get_jstree function. This makes it possible for attackers with administrator privileges or higher to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Backuply
CVE-2024-0697
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-0824 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Anything functionality in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2024-0824
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0667 - Form Maker Plugin
The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. This is due to missing or incorrect nonce validation on the 'execute' function. This makes it possible for unauthenticated attackers to execute arbitrary methods in the 'BoosterController' class via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Form Maker
CVE-2024-0667
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0664 - Meks Smart Social Widget Plugin
The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Meks Smart Social Widget
CVE-2024-0664
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6497 - Wordpress Simple Shopping Cart Plugin
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wordpress Simple Shopping Cart
CVE-2023-6497
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2024-0625 - Wpfront Notification Bar Plugin
The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wpfront Notification Bar
CVE-2024-0625
Risk Score