Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-20
CVE-2023-6741 - Wp Customer Area Plugin
The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.
PLUGIN
Wp Customer Area
CVE-2023-6741
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-6292 - Ecwid Ecommerce Shopping Cart Plugin
The Ecwid Ecommerce Shopping Cart WordPress plugin before 6.12.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Ecwid Ecommerce Shopping Cart
CVE-2023-6292
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-3771 - T1 Plugin
The T1 WordPress theme through 19.0 is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites.
PLUGIN
T1
CVE-2023-3771
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-3372 - Lana Shortcodes Plugin
The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Lana Shortcodes
CVE-2023-3372
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-3647 - Iurny By Indigitall Plugin
The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Iurny By Indigitall
CVE-2023-3647
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-3178 - Post Smtp Mailer Plugin
The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack.
PLUGIN
Post Smtp Mailer
CVE-2023-3178
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-0824 - Userplus Plugin
The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Userplus
CVE-2023-0824
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-0769 - Migration Simple Plugin
The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.
PLUGIN
Migration Simple
CVE-2023-0769
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-0479 - Delivery Notes For Woocommerce Plugin
The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding.
PLUGIN
Delivery Notes For Woocommerce
CVE-2023-0479
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-0376 - Before 1 Plugin
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2023-0376
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0094 - Upqode Google Maps Plugin
The UpQode Google Maps WordPress plugin through 1.0.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Upqode Google Maps
CVE-2023-0094
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2023-0079 - Customer Reviews For Woocommerce Plugin
The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Customer Reviews For Woocommerce
CVE-2023-0079
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-0389 - Calculated Fields Form Plugin
The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Calculated Fields Form
CVE-2023-0389
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2021-24870 - Wp Fastest Cache Plugin
The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload
PLUGIN
Wp Fastest Cache
CVE-2021-24870
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24567 - Simple Post Plugin
The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.
PLUGIN
Simple Post
CVE-2021-24567
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2021-4227 - Ark Commenteditor Plugin
The ark-commenteditor WordPress plugin through 2.15.6 does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section
PLUGIN
Ark Commenteditor
CVE-2021-4227
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2021-25117 - Wp Postratings Plugin
The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php). Even though the page is only accessible to administrators, and protected against CSRF attacks, the issue is still exploitable when the unfiltered_html capability is disabled.
PLUGIN
Wp Postratings
CVE-2021-25117
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2021-24432 - Advanced Ajax Product Filters Plugin
The Advanced AJAX Product Filters WordPress plugin does not sanitise the 'term_id' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue.
PLUGIN
Advanced Ajax Product Filters
CVE-2021-24432
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2021-24559 - Before 0 Plugin
The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks. Furthermore, the data_uri_to_meta AJAX action, available to all authenticated users, only had a CSRF check in place, with the nonce available to users with a role as low as Contributor allowing any user with such role (and above) to set a malicious data-uri in arbitrary QR Code posts, leading to a Stored Cross-Site Scripting issue.
PLUGIN
Before 0
CVE-2021-24559
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2021-24433 - Through 0 Plugin
The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor
PLUGIN
Through 0
CVE-2021-24433
Risk Score