Total
291487 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-4290 | 1 Mpembed | 1 Wp Matterport Shortcode | 2025-04-23 | N/A | 6.1 MEDIUM |
| The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin | |||||
| CVE-2023-4289 | 1 Mpembed | 1 Wp Matterport Shortcode | 2025-04-23 | N/A | 5.4 MEDIUM |
| The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-4281 | 1 Activity Log Project | 1 Activity Log | 2025-04-23 | N/A | 5.3 MEDIUM |
| This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. | |||||
| CVE-2023-4279 | 1 Solwininfotech | 1 User Activity Log | 2025-04-23 | N/A | 7.5 HIGH |
| This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic. | |||||
| CVE-2023-4278 | 1 Stylemixthemes | 1 Masterstudy Lms | 2025-04-23 | N/A | 7.5 HIGH |
| The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts. | |||||
| CVE-2023-4269 | 1 Solwininfotech | 1 User Activity Log | 2025-04-23 | N/A | 4.3 MEDIUM |
| The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses. | |||||
| CVE-2023-4254 | 1 Quantumcloud | 1 Ai Chatbot | 2025-04-23 | N/A | 4.8 MEDIUM |
| The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4253 | 1 Quantumcloud | 1 Ai Chatbot | 2025-04-23 | N/A | 4.8 MEDIUM |
| The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4216 | 1 Villatheme | 1 Orders Tracking For Woocommerce | 2025-04-23 | N/A | 2.7 LOW |
| The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file. | |||||
| CVE-2023-4209 | 1 Poeditor | 1 Poeditor | 2025-04-23 | N/A | 4.3 MEDIUM |
| The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks. | |||||
| CVE-2023-4150 | 1 Mooveagency | 1 User Activity Tracking And Log | 2025-04-23 | N/A | 4.3 MEDIUM |
| The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks | |||||
| CVE-2023-4109 | 1 Ninjaforms | 1 Ninja Forms Contact Form | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability. | |||||
| CVE-2023-4060 | 1 Wpadminify | 1 Wp Adminify | 2025-04-23 | N/A | 4.8 MEDIUM |
| The WP Adminify WordPress plugin before 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4035 | 1 Riverforest-wp | 1 Simple Blog Card | 2025-04-23 | N/A | 5.4 MEDIUM |
| The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2023-4022 | 1 Wow-company | 1 Herd Effects | 2025-04-23 | N/A | 4.8 MEDIUM |
| The Herd Effects WordPress plugin before 5.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2023-4019 | 1 Riverforest-wp | 1 Media From Ftp | 2025-04-23 | N/A | 8.8 HIGH |
| The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases. | |||||
| CVE-2023-4013 | 1 Mooveagency | 1 Gdpr Cookie Compliance | 2025-04-23 | N/A | 6.5 MEDIUM |
| The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks | |||||
| CVE-2023-49954 | 1 3cx | 1 3cx | 2025-04-23 | N/A | 9.8 CRITICAL |
| The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address. | |||||
| CVE-2023-49356 | 1 Glensawyer | 1 Mp3gain | 2025-04-23 | N/A | 7.5 HIGH |
| A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows an attacker to cause a denial of service via the WriteMP3GainAPETag function at apetag.c:592. | |||||
| CVE-2023-47091 | 1 Stormshield | 1 Stormshield Network Security | 2025-04-23 | N/A | 7.5 HIGH |
| An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2. An attacker can overflow the cookie threshold, making an IPsec connection impossible. | |||||