Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-4067 - Bus Ticket Booking With Seat Reservation Plugin
The Bus Ticket Booking with Seat Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab_date' and 'tab_date_r' parameters in versions up to, and including, 5.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bus Ticket Booking With Seat Reservation
CVE-2023-4067
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3508 - Woocommerce Pre Orders Plugin
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks
PLUGIN
Woocommerce Pre Orders
CVE-2023-3508
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3507 - Woocommerce Pre Orders Plugin
The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack
PLUGIN
Woocommerce Pre Orders
CVE-2023-3507
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2023-3345 - Lms By Masteriyo Plugin
The LMS by Masteriyo WordPress plugin before 1.6.8 does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students
PLUGIN
Lms By Masteriyo
CVE-2023-3345
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3292 - Grid Kit Premium Plugin
The grid-kit-premium WordPress plugin before 2.2.0 does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Grid Kit Premium
CVE-2023-3292
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3134 - Before 1 Plugin
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks.
PLUGIN
Before 1
CVE-2023-3134
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-0602 - Twittee Text Tweet Plugin
The Twittee Text Tweet WordPress plugin through 1.0.8 does not properly escape POST values which are printed back to the user inside one of the plugin's administrative page, which allows reflected XSS attacks targeting administrators to happen.
PLUGIN
Twittee Text Tweet
CVE-2023-0602
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3130 - Before 1 Plugin
The Short URL WordPress plugin before 1.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2023-3130
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-3977 - Enhanced Text Widget Plugin
Several plugins for WordPress by Inisev are vulnerable to Cross-Site Request Forgery to unauthorized installation of plugins due to a missing nonce check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for unauthenticated attackers to install plugins from the limited list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Enhanced Text Widget
CVE-2023-3977
Risk Score
Threat Entry
Updated 2025-04-03
CVE-2023-0958 - Enhanced Text Widget Plugin
Several plugins for WordPress by Inisev are vulnerable to unauthorized installation of plugins due to a missing capability check on the handle_installation function that is called via the inisev_installation AJAX aciton in various versions. This makes it possible for authenticated attackers with minimal permissions, such as subscribers, to install select plugins from Inisev on vulnerable sites. CVE-2023-38514 appears to be a duplicate of this vulnerability.
PLUGIN
Enhanced Text Widget
CVE-2023-0958
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3957 - Acf Photo Gallery Field Plugin
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string.
PLUGIN
Acf Photo Gallery Field
CVE-2023-3957
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-36503 - Maxbuttons Plugin
Auth. (contributor+) Cross-Site Scripting (XSS) vulnerability in Max Foundry WordPress Button Plugin MaxButtons plugin
PLUGIN
Maxbuttons
CVE-2023-36503
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2309 - Wpforo Forum Plugin
The wpForo Forum WordPress plugin before 2.1.9 does not escape some request parameters while in debug mode, leading to a Reflected Cross-Site Scripting vulnerability.
PLUGIN
Wpforo Forum
CVE-2023-2309
Risk Score
Threat Entry
Updated 2025-05-05
CVE-2023-3344 - Auto Location For Wp Job Manager Via Google Plugin
The Auto Location for WP Job Manager via Google WordPress plugin before 1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Auto Location For Wp Job Manager Via Google
CVE-2023-3344
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2023-3248 - All In One Floating Contact Form Plugin
The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
All In One Floating Contact Form
CVE-2023-3248
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3779 - Essential Addons For Elementor Plugin
The Essential Addons For Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 5.8.1 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised. This only affects sites running the premium…
PLUGIN
Essential Addons For Elementor
CVE-2023-3779
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2433 - Yet Another Related Posts Plugin
The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'className' parameter in versions up to, and including, 5.30.3 due to insufficient input sanitization and output escaping. This makes it possible for contributor-level attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Yet Another Related Posts
CVE-2023-2433
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3709 - Royal Elementor Addons Plugin
The Royal Elementor Addons plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 1.3.70 due to the plugin adding the API key to the source code of any page running the MailChimp block. This makes it possible for unauthenticated attackers to obtain a site's MailChimp API key. We recommend resetting any MailChimp API keys if running a vulnerable version of this plugin with the MailChimp block enabled as the API key may have been compromised.
PLUGIN
Royal Elementor Addons
CVE-2023-3709
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2023-3708 - Amela Plugin
Several themes for WordPress by DeoThemes are vulnerable to Reflected Cross-Site Scripting via breadcrumbs in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Amela
CVE-2023-3708
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3403 - Profilegrid Plugin
The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pm_upload_csv' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to import new users and update existing users.
PLUGIN
Profilegrid
CVE-2023-3403
Risk Score