Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-03
CVE-2023-6924 - Photo Gallery Plugin
The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It can also be exploited with a contributor-level permission with a page builder plugin.
PLUGIN
Photo Gallery
CVE-2023-6924
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6782 - Amp For Wp Plugin
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.0.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Amp For Wp
CVE-2023-6782
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6781 - Orbit Fox Plugin
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Orbit Fox
CVE-2023-6781
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6855 - Paid Memberships Pro Plugin
The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices.
PLUGIN
Paid Memberships Pro
CVE-2023-6855
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6776 - 3D FlipBook – PDF Flipbook WordPress Plugin
The 3D FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Ready Function’ field in all versions up to, and including, 1.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
3D FlipBook – PDF Flipbook WordPress
CVE-2023-6776
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6684 - Ibtana Plugin
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ive' shortcode in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on 'width' and 'height' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ibtana
CVE-2023-6684
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6645 - Post Grid Combo Plugin
The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.2.64 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Post Grid Combo
CVE-2023-6645
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6737 - Enable Media Replace Plugin
The Enable Media Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the SHORTPIXEL_DEBUG parameter in all versions up to, and including, 4.1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploiting this vulnerability requires the attacker to know the ID of an attachment uploaded by the user they are attacking.
PLUGIN
Enable Media Replace
CVE-2023-6737
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6742 - Envira Gallery Plugin
The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'envira_gallery_insert_images' function in all versions up to, and including, 1.8.7.1. This makes it possible for authenticated attackers, with contributor access and above, to modify galleries on other users' posts.
PLUGIN
Envira Gallery
CVE-2023-6742
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6638 - Gg Woo Feed Plugin
The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Gg Woo Feed
CVE-2023-6638
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6637 - Complete Analytics Optimization Suite Plugin
The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Complete Analytics Optimization Suite
CVE-2023-6637
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6632 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in Happy Addons for Elementor Pro) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Happy Addons For Elementor
CVE-2023-6632
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6624 - Import And Export Users And Customers Plugin
The Import and export users and customers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.24.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Import And Export Users And Customers
CVE-2023-6624
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6583 - Import And Export Users And Customers Plugin
The Import and export users and customers plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.24.2 via the Recurring Import functionality. This makes it possible for authenticated attackers, with administrator access and above, to read and delete the contents of arbitrary files on the server including wp-config.php, which can contain sensitive information.
PLUGIN
Import And Export Users And Customers
CVE-2023-6583
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6561 - Featured Image From Url Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the featured image alt text in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Featured Image From Url
CVE-2023-6561
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6582 - Elements Kit Elementor Addons Plugin
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.3 via the ekit_widgetarea_content function. This makes it possible for unauthenticated attackers to obtain contents of posts in draft, private or pending review status that should not be visible to the general public. This applies to posts created with Elementor only.
PLUGIN
Elements Kit Elementor Addons
CVE-2023-6582
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6598 - Speedycache Plugin
The SpeedyCache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the speedycache_save_varniship, speedycache_img_update_settings, speedycache_preloading_add_settings, and speedycache_preloading_delete_resource functions in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to update plugin options.
PLUGIN
Speedycache
CVE-2023-6598
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6556 - Fox Currency Switcher Professional For Woocommerce Plugin
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fox Currency Switcher Professional For Woocommerce
CVE-2023-6556
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6369 - Export Wp Page To Static Html Css Plugin
The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings.
PLUGIN
Export Wp Page To Static Html Css
CVE-2023-6369
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6496 - Manage Notification E Mails Plugin
The Manage Notification E-mails plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.8.5 via the card_famne_export_settings function. This makes it possible for unauthenticated attackers to obtain plugin settings.
PLUGIN
Manage Notification E Mails
CVE-2023-6496
Risk Score