Total
291487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4776 | 1 Igexsolutions | 1 Wpschoolpress | 2025-04-23 | N/A | 8.8 HIGH |
| The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers. | |||||
| CVE-2023-4691 | 1 Booking-wp-plugin | 1 Bookly | 2025-04-23 | N/A | 7.2 HIGH |
| The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin | |||||
| CVE-2023-4687 | 1 Pagelayer | 1 Pagelayer | 2025-04-23 | N/A | 6.1 MEDIUM |
| The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts. | |||||
| CVE-2023-4666 | 1 10web | 1 Form Maker | 2025-04-23 | N/A | 9.8 CRITICAL |
| The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE | |||||
| CVE-2023-4646 | 1 Sayandatta | 1 Simple Posts Ticker | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Simple Posts Ticker WordPress plugin before 1.1.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2023-4643 | 1 Shortpixel | 1 Enable Media Replace | 2025-04-23 | N/A | 8.8 HIGH |
| The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog | |||||
| CVE-2023-4631 | 1 Wpdo5ea | 1 Dologin Security | 2025-04-23 | N/A | 5.3 MEDIUM |
| The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing. | |||||
| CVE-2023-4528 | 1 Redwood | 1 Jscape Mft | 2025-04-23 | N/A | 7.2 HIGH |
| Unsafe deserialization in JSCAPE MFT Server versions prior to 2023.1.9 (Windows, Linux, and MacOS) permits an attacker to run arbitrary Java code (including OS commands) via its management interface | |||||
| CVE-2023-4521 | 1 Mooveagency | 1 Import Xml And Rss Feeds | 2025-04-23 | N/A | 9.8 CRITICAL |
| The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version. | |||||
| CVE-2023-4504 | 3 Debian, Fedoraproject, Openprinting | 4 Debian Linux, Fedora, Cups and 1 more | 2025-04-23 | N/A | 7.0 HIGH |
| Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023. | |||||
| CVE-2023-4490 | 1 Wpjobportal | 1 Wp Job Portal | 2025-04-23 | N/A | 9.8 CRITICAL |
| The WP Job Portal WordPress plugin before 2.0.6 does not sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users | |||||
| CVE-2023-4476 | 1 Plainware | 1 Locatoraid | 2025-04-23 | N/A | 6.1 MEDIUM |
| The Locatoraid Store Locator WordPress plugin before 3.9.24 does not sanitise and escape the lpr-search parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||||
| CVE-2023-4390 | 1 Ays-pro | 1 Popup Box | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Popup box WordPress plugin before 3.7.2 does not sanitize and escape some Popup fields, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | |||||
| CVE-2023-4388 | 1 Myeventon | 1 Eventon | 2025-04-23 | N/A | 4.8 MEDIUM |
| The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4376 | 1 Nikolov | 1 Serial Codes Generator And Validator With Woocommerce Support | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Serial Codes Generator and Validator with WooCommerce Support WordPress plugin before 2.4.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4318 | 1 Wow-company | 1 Herd Effects | 2025-04-23 | N/A | 4.3 MEDIUM |
| The Herd Effects WordPress plugin before 5.2.4 does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack | |||||
| CVE-2023-4314 | 1 Tms-outsource | 1 Wpdatatables | 2025-04-23 | N/A | 7.2 HIGH |
| The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite. | |||||
| CVE-2023-4307 | 1 Teknigar | 1 Lock User Account | 2025-04-23 | N/A | 4.3 MEDIUM |
| The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack | |||||
| CVE-2023-4300 | 1 Mooveagency | 1 Import Xml And Rss Feeds | 2025-04-23 | N/A | 7.2 HIGH |
| The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution. | |||||
| CVE-2023-4298 | 1 123.chat | 1 123.chat | 2025-04-23 | N/A | 4.8 MEDIUM |
| The 123.chat WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||