Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2023-2026 - Image Protector Plugin
The Image Protector WordPress plugin through 1.1 does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Image Protector
CVE-2023-2026
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-1780 - Companion Sitemap Generator Plugin
The Companion Sitemap Generator WordPress plugin before 4.5.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Companion Sitemap Generator
CVE-2023-1780
Risk Score
Threat Entry
Updated 2025-01-06
CVE-2023-1119 - Before 2 Plugin
The WP-Optimize WordPress plugin before 3.2.13, SrbTransLatin WordPress plugin before 2.4.1 use a third-party library that removes the escaping on some HTML characters, leading to a cross-site scripting vulnerability.
PLUGIN
Before 2
CVE-2023-1119
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3139 - Protect Wp Admin Plugin
The Protect WP Admin WordPress plugin before 4.0 discloses the URL of the admin panel via a redirection of a crafted URL, bypassing the protection offered.
PLUGIN
Protect Wp Admin
CVE-2023-3139
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2333 - Gsheetconnector Ninja Forms Pro Plugin
The Ninja Forms Google Sheet Connector WordPress plugin before 1.2.7, gsheetconnector-ninja-forms-pro WordPress plugin through 1.2.7 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Gsheetconnector Ninja Forms Pro
CVE-2023-2333
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2324 - Elementor Forms Google Sheet Connector Plugin
The Elementor Forms Google Sheet Connector WordPress plugin before 1.0.7, gsheetconnector-for-elementor-forms-pro WordPress plugin through 1.0.7 does not escape some parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Elementor Forms Google Sheet Connector
CVE-2023-2324
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2321 - Gsheetconnector Wpforms Pro Plugin
The WPForms Google Sheet Connector WordPress plugin before 3.4.6, gsheetconnector-wpforms-pro WordPress plugin through 3.4.6 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Gsheetconnector Wpforms Pro
CVE-2023-2321
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-2320 - Cf7 Google Sheets Connector Pro Plugin
The CF7 Google Sheets Connector WordPress plugin before 5.0.2, cf7-google-sheets-connector-pro WordPress plugin through 5.0.2 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Cf7 Google Sheets Connector Pro
CVE-2023-2320
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4405 - Elasticpress Plugin
The ElasticPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.3. This is due to missing or incorrect nonce validation on the epio_send_autosuggest_allowed() function. This makes it possible for unauthenticated attackers to send allowed parameters for autosuggest to elasticpress[.]io via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Elasticpress
CVE-2021-4405
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4404 - Event Espresso 4 Decaf Plugin
The Event Espresso 4 Decaf plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.10.11. This is due to missing or incorrect nonce validation on the ajaxHandler() function. This makes it possible for unauthenticated attackers to op into notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Event Espresso 4 Decaf
CVE-2021-4404
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4403 - Remove Schema Plugin
The Remove Schema plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the validate() function. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Remove Schema
CVE-2021-4403
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4402 - Multiple Roles Plugin
The Multiple Roles plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the mu_add_roles_in_signup_meta() and mu_add_roles_in_signup_meta_recently() functions. This makes it possible for unauthenticated attackers to add additional roles to users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Multiple Roles
CVE-2021-4402
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4400 - Better Search Plugin
The Better Search plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the bsearch_process_settings_import() and bsearch_process_settings_export() functions. This makes it possible for unauthenticated attackers to import and export settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Better Search
CVE-2021-4400
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4399 - Edwiser Bridge Plugin
The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synchronization_initiater(), course_synchronization_initiater(), users_link_to_moodle_synchronization(), connection_test_initiater(), admin_menus(), and subscribe_handler() function. This makes it possible for unauthenticated attackers to perform unauthorized actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Edwiser Bridge
CVE-2021-4399
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4398 - Amministrazione Trasparente Plugin
The Amministrazione Trasparente plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.1. This is due to missing or incorrect nonce validation on the at_save_aturl_meta() function. This makes it possible for unauthenticated attackers to update meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Amministrazione Trasparente
CVE-2021-4398
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4397 - Staff Directory Plugin
The Staff Directory Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to save custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Staff Directory
CVE-2021-4397
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4396 - Rucy Plugin
The Rucy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.4.4. This is due to missing or incorrect nonce validation on the save_rc_post_meta() function. This makes it possible for unauthenticated attackers to save post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Rucy
CVE-2021-4396
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4395 - Abandoned Cart Recovery For Woocommerce Plugin
The Abandoned Cart Recovery for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the get_items() and extra_tablenav() functions. This makes it possible for unauthenticated attackers to perform read-only actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Abandoned Cart Recovery For Woocommerce
CVE-2021-4395
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4394 - Locations Plugin
The Locations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the saveCustomFields() function. This makes it possible for unauthenticated attackers to update custom field meta data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Locations
CVE-2021-4394
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2021-4393 - Ecommerce Product Catalog Plugin
The eCommerce Product Catalog Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.17. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save manual digital orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ecommerce Product Catalog
CVE-2021-4393
Risk Score