Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-03
CVE-2023-6504 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata.
PLUGIN
Profile Builder
CVE-2023-6504
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4962 - Video Popup Plugin
The Video PopUp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'video_popup' shortcode in versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Video Popup
CVE-2023-4962
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-5691 - Chatbot Plugin
The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 2.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Chatbot
CVE-2023-5691
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-4960 - Wcfm Marketplace Plugin
The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wcfm Marketplace
CVE-2023-4960
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4372 - Litespeed Cache Plugin
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'esi' shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Litespeed Cache
CVE-2023-4372
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-4248 - Givewp Plugin
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers to deactivate the plugin's stripe integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Givewp
CVE-2023-4248
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4247 - Givewp Plugin
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_disconnect function. This makes it possible for unauthenticated attackers to deactivate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Givewp
CVE-2023-4247
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4246 - Givewp Plugin
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_sendwp_remote_install_handler function. This makes it possible for unauthenticated attackers to install and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Givewp
CVE-2023-4246
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6883 - Easy Social Feed Plugin
The Easy Social Feed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in all versions up to, and including, 6.5.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions, such as modifying the plugin's Facebook and Instagram access tokens and updating group IDs.
PLUGIN
Easy Social Feed
CVE-2023-6883
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6520 - Wp 2fa Plugin
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the send_backup_codes_email function. This makes it possible for unauthenticated attackers to send emails with arbitrary content to registered users via a forged request granted they can trick a site administrator or other registered user into performing an action such as clicking on a link. While a nonce check is present, it is only executed if…
PLUGIN
Wp 2fa
CVE-2023-6520
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6446 - Calculated Fields Form Plugin
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Calculated Fields Form
CVE-2023-6446
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6506 - Wp 2fa Plugin
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the send_backup_codes_email due to missing validation on a user controlled key. This makes it possible for subscriber-level attackers to email arbitrary users on the site.
PLUGIN
Wp 2fa
CVE-2023-6506
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6223 - Learnpress Plugin
The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress.
PLUGIN
Learnpress
CVE-2023-6223
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6630 - Contact Form 7 Plugin
The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the CF7_get_custom_field and CF7_get_current_user shortcodes due to missing validation on a user controlled key. This makes it possible for authenticated attackers with contributor access or higher to access arbitrary metadata of any post type, referencing the post by id and the meta by key.
PLUGIN
Contact Form 7
CVE-2023-6630
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6158 - Eventon Lite Plugin
The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the evo_eventpost_update_meta function in all versions up to, and including, 4.5.4 (for Pro) and 2.2.7 (for free). This makes it possible for unauthenticated attackers to update and remove arbitrary post metadata. Note that certain parameters may allow for content injection.
PLUGIN
Eventon Lite
CVE-2023-6158
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6842 - Custom Form Builder Plugin
The Formidable Forms – Contact Form, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name field label and description field label parameter in all versions up to 6.7 (inclusive) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this only affects multi-site installations and installations where unfiltered_html has been disabled.…
PLUGIN
Custom Form Builder
CVE-2023-6842
Risk Score
Threat Entry
Updated 2025-06-03
CVE-2023-6830 - Formidable Form Builder Plugin
The Formidable Forms plugin for WordPress is vulnerable to HTML injection in versions up to, and including, 6.7. This vulnerability allows unauthenticated users to inject arbitrary HTML code into form fields. When the form data is viewed by an administrator in the Entries View Page, the injected HTML code is rendered, potentially leading to admin area defacement or redirection to malicious websites.
PLUGIN
Formidable Form Builder
CVE-2023-6830
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6788 - Metform Elementor Contact Form Builder Plugin
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.1. This is due to missing or incorrect nonce validation on the contents function. This makes it possible for unauthenticated attackers to update the options "mf_hubsopt_token", "mf_hubsopt_refresh_token", "mf_hubsopt_token_type", and "mf_hubsopt_expires_in" via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This would allow an attacker to connect their own Hubspot account to a victim site's metform to…
PLUGIN
Metform Elementor Contact Form Builder
CVE-2023-6788
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6594 - Maxbuttons Plugin
The WordPress Button Plugin MaxButtons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Administrators can give button creation privileges to users with lower levels (contributor+) which would allow those…
PLUGIN
Maxbuttons
CVE-2023-6594
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-51408 - Wp Optin Wheel Plugin
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StudioWombat WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce.This issue affects WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce: from n/a through 1.4.3.
PLUGIN
Wp Optin Wheel
CVE-2023-51408
Risk Score