Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-4796 - Booster For Woocommerce Plugin
The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcj_wp_option' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode. This makes it possible for authenticated attackers, with subscriber-level capabilities or above, to retrieve arbitrary sensitive site options.
PLUGIN
Booster For Woocommerce
CVE-2023-4796
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4418 - Custom Css Js Php Plugin
The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Custom Css Js Php
CVE-2021-4418
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5308 - Podcast Subscribe Buttons Plugin
The Podcast Subscribe Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'podcast_subscribe' shortcode in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Podcast Subscribe Buttons
CVE-2023-5308
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5200 - Flowpaper Plugin
The flowpaper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'flipbook' shortcode in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Flowpaper
CVE-2023-5200
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5071 - Sitekit Plugin
The Sitekit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sitekit_iframe' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sitekit
CVE-2023-5071
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5050 - Leaflet Map Plugin
The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Leaflet Map
CVE-2023-5050
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-5120 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image file path parameter in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Migration Backup Staging
CVE-2023-5120
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4919 - Iframe Plugin
The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 4.6 and fully patched in version 4.7.
PLUGIN
Iframe
CVE-2023-4919
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4968 - Wplegalpages Plugin
The WPLegalPages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wplegalpage' shortcode in versions up to, and including, 2.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wplegalpages
CVE-2023-4968
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4975 - Website Builder By Seedprod Plugin
The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to change the stripe connect token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Website Builder By Seedprod
CVE-2023-4975
Risk Score
Threat Entry
Updated 2025-02-12
CVE-2023-4947 - Woocommerce Ean Payment Gateway Plugin
The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0. This makes it possible for authenticated attackers with contributor-level access and above, to update EAN numbers for orders.
PLUGIN
Woocommerce Ean Payment Gateway
CVE-2023-4947
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4943 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_visibility function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4943
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4942 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_visibility function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4942
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4940 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_swap function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4940
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4937 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_bulkoperations_apply_default_combination function. This makes it possible for unauthenticated attackers to manipulate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4937
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4935 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the create_profile function. This makes it possible for unauthenticated attackers to create profiles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4935
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4920 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin
The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3. This is due to missing or incorrect nonce validation on the woobe_save_options function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, input sanitization and escaping is insufficient resulting in the possibility of malicious script injection.
PLUGIN
Bear Woocommerce Bulk Editor And Products Manager Professional
CVE-2023-4920
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4482 - Auto Amazon Links Plugin
The Auto Amazon Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the style parameter in versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Auto Amazon Links
CVE-2023-4482
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4271 - Photospace Responsive Gallery Plugin
The Photospace Responsive plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘psres_button_size’ parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Photospace Responsive Gallery
CVE-2023-4271
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4335 - Fancy Product Designer Plugin
The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify plugin settings, including retrieving arbitrary order information or creating/updating/deleting products, orders, or other sensitive information not associated with their own account.
PLUGIN
Fancy Product Designer
CVE-2021-4335
Risk Score