Total
296552 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-7071 | 1 Wpdeveloper | 1 Essential Blocks | 2025-06-03 | N/A | 6.4 MEDIUM |
| The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-7048 | 1 Premio | 1 My Sticky Bar | 2025-06-03 | N/A | 3.1 LOW |
| The My Sticky Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.6. This is due to missing or incorrect nonce validation in mystickymenu-contact-leads.php. This makes it possible for unauthenticated attackers to trigger the export of a CSV file containing contact leads via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Because the CSV file is exported to a public location, it can be downloaded during a very short window of time before it is automatically deleted by the export function. | |||||
| CVE-2023-7019 | 1 Themeisle | 1 Lightstart | 2025-06-03 | N/A | 4.3 MEDIUM |
| The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs. | |||||
| CVE-2023-6988 | 1 Extendthemes | 1 Colibri Page Builder | 2025-06-03 | N/A | 6.4 MEDIUM |
| The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6924 | 1 10web | 1 Photo Gallery | 2025-06-03 | N/A | 4.4 MEDIUM |
| The Photo Gallery by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widgets in versions up to, and including, 1.8.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It can also be exploited with a contributor-level permission with a page builder plugin. | |||||
| CVE-2023-6882 | 1 Simple-membership-plugin | 1 Simple Membership | 2025-06-03 | N/A | 6.1 MEDIUM |
| The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2023-6855 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-06-03 | N/A | 5.3 MEDIUM |
| The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in the pmpro_rest_api_get_permissions_check function in all versions up to 2.12.5 (inclusive). This makes it possible for unauthenticated attackers to change membership levels including prices. | |||||
| CVE-2023-6843 | 1 Easy.jobs | 1 Easy.jobs | 2025-06-03 | N/A | 4.3 MEDIUM |
| The easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin before 2.4.7 does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings. | |||||
| CVE-2023-6684 | 1 Vowelweb | 1 Ibtana | 2025-06-03 | N/A | 6.4 MEDIUM |
| The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ive' shortcode in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on 'width' and 'height' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-6638 | 1 Gutengeek | 1 Gg Woo Feed | 2025-06-03 | N/A | 6.5 MEDIUM |
| The GTG Product Feed for Shopping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 1.2.4. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2024-35058 | 1 Nasa | 1 Ait Core | 2025-06-03 | N/A | 7.5 HIGH |
| An issue in the API wait function of NASA AIT-Core v2.5.2 allows attackers to execute arbitrary code via supplying a crafted string. | |||||
| CVE-2023-6637 | 1 Daan | 1 Complete Analytics Optimization Suite | 2025-06-03 | N/A | 6.5 MEDIUM |
| The CAOS | Host Google Analytics Locally plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_settings' function in versions up to, and including, 4.7.14. This makes it possible for unauthenticated attackers to update plugin settings. | |||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2025-06-03 | N/A | 8.1 HIGH |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | |||||
| CVE-2023-6558 | 1 Webtoffee | 1 Import Export Wordpress Users | 2025-06-03 | N/A | 7.2 HIGH |
| The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-6504 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-03 | N/A | 4.3 MEDIUM |
| The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata. | |||||
| CVE-2023-6369 | 1 Myrecorp | 1 Export Wp Page To Static Html\/css | 2025-06-03 | N/A | 5.4 MEDIUM |
| The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 2.1.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to disclose sensitive information or perform unauthorized actions, such as saving advanced plugin settings. | |||||
| CVE-2023-6244 | 1 Myeventon | 2 Eventon, Eventon-lite | 2025-06-03 | N/A | 6.5 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (Free). This is due to missing or incorrect nonce validation on the save_virtual_event_settings function. This makes it possible for unauthenticated attackers to modify virtual event settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6242 | 1 Myeventon | 2 Eventon, Eventon-lite | 2025-06-03 | N/A | 6.5 MEDIUM |
| The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.7 (for Free). This is due to missing or incorrect nonce validation on the evo_eventpost_update_meta function. This makes it possible for unauthenticated attackers to update arbitrary post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2023-6220 | 1 Piotnet | 1 Piotnet Forms | 2025-06-03 | N/A | 8.1 HIGH |
| The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2023-6050 | 1 Estatik | 1 Estatik | 2025-06-03 | N/A | 6.1 MEDIUM |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||