Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-5292 - Advanced Custom Fields Extended Plugin
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Custom Fields Extended
CVE-2023-5292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5231 - Magic Action Box Plugin
The Magic Action Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.17.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Magic Action Box
CVE-2023-5231
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5109 - Wp Mailto Links Plugin
The WP Mailto Links – Protect Email Addresses plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wpml_mailto' shortcode in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 3.1.3 and fully patched in version 3.1.4.
PLUGIN
Wp Mailto Links
CVE-2023-5109
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5086 - Copy Anything To Clipboard Plugin
The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'copy' shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Copy Anything To Clipboard
CVE-2023-5086
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2023-5533 - Wpbot Plugin
The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2. This makes it possible for unauthenticated attackers to perform some of those actions that were intended for higher privileged users.
PLUGIN
Wpbot
CVE-2023-5533
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5121 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings (the backup path parameter) in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Migration Backup Staging
CVE-2023-5121
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5602 - Social Media Share Buttons Social Sharing Icons Plugin
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on several functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to invoke those actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Social Media Share Buttons Social Sharing Icons
CVE-2023-5602
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2023-5534 - Wpbot Plugin
The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2. This is due to missing or incorrect nonce validation on the corresponding functions. This makes it possible for unauthenticated attackers to invoke those functions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wpbot
CVE-2023-5534
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5070 - Social Media Share Buttons Social Sharing Icons Plugin
The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function. This can allow subscribers to export plugin settings that include social media authentication tokens and secrets as well as app passwords.
PLUGIN
Social Media Share Buttons Social Sharing Icons
CVE-2023-5070
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4961 - Popups Plugin
The Poptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'poptin-form' shortcode in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Popups
CVE-2023-4961
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4926 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulk_delete_products function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4926
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4924 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to missing capability checks on the woobe_bulkoperations_delete function. This makes it possible for authenticated attackers, with subscriber access or higher, to delete products.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4924
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4923 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_delete function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4923
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4668 - Ad Inserter Plugin
The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter. This can allow unauthenticated attackers to extract sensitive data including installed plugins (present and active), active theme, various plugin settings, WordPress version, as well as some server settings such as memory limit, installation paths.
PLUGIN
Ad Inserter
CVE-2023-4668
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3998 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a post.
PLUGIN
Wpdiscuz
CVE-2023-3998
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3869 - Wpdiscuz Plugin
The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3. This makes it possible for unauthenticated attackers to increase or decrease the rating of a comment.
PLUGIN
Wpdiscuz
CVE-2023-3869
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4648 - Wp Customer Reviews Plugin
The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp Customer Reviews
CVE-2023-4648
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4021 - Modern Events Calendar Lite Plugin
The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Modern Events Calendar Lite
CVE-2023-4021
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3996 - Armember Plugin
The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Armember
CVE-2023-3996
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4941 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_swap function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4941
Risk Score