Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2023-3197
Description: The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2982
Description: The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

CVSS: CRITICAL (9.8)

EPSS Score: 0.19%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2842
WP Inventory Manager < 2.1.0.14 - Inventory Items Deletion via CSRF
Description: The WP Inventory Manager WordPress plugin before 2.1.0.14 does not have CSRF checks, which could allow attackers to make logged-in admins delete Inventory Items via a CSRF attack

CVSS: LOW (0.0)

EPSS Score: 0.07%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2795
CodeColorer < 0.10.1 – Admin+ Stored Cross-Site Scripting
Description: The CodeColorer WordPress plugin before 0.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2711
Ultimate Product Catalog < 5.2.6 - Admin+ Stored XSS
Description: The Ultimate Product Catalog WordPress plugin before 5.2.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVSS: LOW (0.0)

EPSS Score: 0.06%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2628
KiviCare Management System < 3.2.1 - Multiple CSRF
Description: The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

CVSS: LOW (0.0)

EPSS Score: 0.21%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2624
KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting
Description: The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator

CVSS: LOW (0.0)

EPSS Score: 0.49%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2623
KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure
Description: The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

CVSS: LOW (0.0)

EPSS Score: 0.07%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2605
WP Brutal AI < 2.0.1 - Admin+ Reflected XSS
Description: The wpbrutalai WordPress plugin before 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.

CVSS: LOW (0.0)

EPSS Score: 0.19%

Source: CVE
November 28th, 2024 (6 months ago)

CVE-2023-2601
WP Brutal AI < 2.0.0 - SQL Injection via CSRF
Description: The wpbrutalai WordPress plugin before 2.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.

CVSS: LOW (0.0)

EPSS Score: 0.7%

Source: CVE
November 28th, 2024 (6 months ago)