Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-4840 - Mappress Plugin
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'mappress' shortcode in versions up to, and including, 2.88.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mappress
CVE-2023-4840
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4318 - Herd Effects Plugin
The Herd Effects WordPress plugin before 5.2.4 does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack
PLUGIN
Herd Effects
CVE-2023-4318
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4307 - Lock User Account Plugin
The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack
PLUGIN
Lock User Account
CVE-2023-4307
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2023-4294 - Url Shortify Plugin
The URL Shortify WordPress plugin before 1.7.6 does not properly escape the value of the referer header, thus allowing an unauthenticated attacker to inject malicious javascript that will trigger in the plugins admin panel with statistics of the created short link.
PLUGIN
Url Shortify
CVE-2023-4294
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2023-4270 - Min Max Control Plugin
The Min Max Control WordPress plugin before 4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Min Max Control
CVE-2023-4270
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4060 - Before 3 Plugin
The WP Adminify WordPress plugin before 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 3
CVE-2023-4060
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4022 - Herd Effects Plugin
The Herd Effects WordPress plugin before 5.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Herd Effects
CVE-2023-4022
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3510 - Ftp Access Plugin
The FTP Access WordPress plugin through 1.0 does not have authorisation and CSRF checks when updating its settings and is missing sanitisation as well as escaping in them, allowing any authenticated users, such as subscriber to update them with XSS payloads, which will be triggered when an admin will view the settings of the plugin. The attack could also be perform via CSRF against any authenticated user.
PLUGIN
Ftp Access
CVE-2023-3510
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3169 - Tagdiv Composer Plugin
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
PLUGIN
Tagdiv Composer
CVE-2023-3169
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3170 - Tagdiv Composer Plugin
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not validate and escape some settings, which could allow users with Admin privileges to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Tagdiv Composer
CVE-2023-3170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2705 - Before 1 Plugin
The gAppointments WordPress plugin before 1.10.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin
PLUGIN
Before 1
CVE-2023-2705
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4838 - Simple Download Counter Plugin
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Download Counter
CVE-2023-4838
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4772 - Newsletter Plugin
The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'newsletter_form' shortcode in versions up to, and including, 7.8.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newsletter
CVE-2023-4772
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4792 - Duplicate Post Page Menu Custom Post Type Plugin
The Duplicate Post Page Menu & Custom Post Type plugin for WordPress is vulnerable to unauthorized page and post duplication due to a missing capability check on the duplicate_ppmc_post_as_draft function in versions up to, and including, 2.3.1. This makes it possible for authenticated attackers with subscriber access or higher to duplicate posts and pages.
PLUGIN
Duplicate Post Page Menu Custom Post Type
CVE-2023-4792
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4779 - User Submitted Posts Plugin
The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [usp_gallery] shortcode in versions up to, and including, 20230811 due to insufficient input sanitization and output escaping on user supplied attributes like 'before'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
User Submitted Posts
CVE-2023-4779
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4773 - Wordpress Social Login Plugin
The WordPress Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wordpress_social_login_meta' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wordpress Social Login
CVE-2023-4773
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4636 - Wordpress File Sharing Plugin
The WordPress File Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wordpress File Sharing
CVE-2023-4636
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-4284 - Post Timeline Plugin
The Post Timeline WordPress plugin before 2.2.6 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Post Timeline
CVE-2023-4284
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-4151 - Store Locator Plugin
The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Store Locator
CVE-2023-4151
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-4298 - Before 1 Plugin
The 123.chat WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 1
CVE-2023-4298
Risk Score