Export limit exceeded: 363303 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (363303 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-4318 1 Wow-company 1 Herd Effects 2025-04-23 4.3 Medium
The Herd Effects WordPress plugin before 5.2.4 does not have CSRF when deleting its items, which could allow attackers to make logged in admins delete arbitrary effects via a CSRF attack
CVE-2023-4314 1 Tms-outsource 1 Wpdatatables 2025-04-23 7.2 High
The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite.
CVE-2023-4307 1 Teknigar 1 Lock User Account 2025-04-23 4.3 Medium
The Lock User Account WordPress plugin through 1.0.3 does not have CSRF check when bulk locking and unlocking accounts, which could allow attackers to make logged in admins lock and unlock arbitrary users via a CSRF attack
CVE-2023-4300 1 Mooveagency 1 Import Xml And Rss Feeds 2025-04-23 7.2 High
The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.
CVE-2023-4298 1 123.chat 1 123.chat 2025-04-23 4.8 Medium
The 123.chat WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-4290 1 Mpembed 1 Wp Matterport Shortcode 2025-04-23 6.1 Medium
The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin
CVE-2023-4289 1 Mpembed 1 Wp Matterport Shortcode 2025-04-23 5.4 Medium
The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2023-4281 1 Activity Log Project 1 Activity Log 2025-04-23 5.3 Medium
This Activity Log WordPress plugin before 2.8.8 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
CVE-2023-4279 1 Solwininfotech 1 User Activity Log 2025-04-23 7.5 High
This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.
CVE-2023-4278 1 Stylemixthemes 1 Masterstudy Lms 2025-04-23 7.5 High
The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.
CVE-2023-4269 1 Solwininfotech 1 User Activity Log 2025-04-23 4.3 Medium
The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.
CVE-2023-4216 1 Villatheme 1 Orders Tracking For Woocommerce 2025-04-23 2.7 Low
The Orders Tracking for WooCommerce WordPress plugin before 1.2.6 doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.
CVE-2023-4209 1 Poeditor 1 Poeditor 2025-04-23 4.3 Medium
The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.
CVE-2023-4150 1 Mooveagency 1 User Activity Tracking And Log 2025-04-23 4.3 Medium
The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks
CVE-2023-4109 1 Ninjaforms 1 Ninja Forms Contact Form 2025-04-23 4.8 Medium
The Ninja Forms WordPress Ninja Forms Contact Form WordPress plugin before 3.6.26 was affected by a HTML Injection security vulnerability.
CVE-2023-4060 1 Wpadminify 1 Wp Adminify 2025-04-23 4.8 Medium
The WP Adminify WordPress plugin before 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-4035 1 Riverforest-wp 1 Simple Blog Card 2025-04-23 5.4 Medium
The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
CVE-2023-4022 1 Wow-company 1 Herd Effects 2025-04-23 4.8 Medium
The Herd Effects WordPress plugin before 5.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVE-2023-4019 1 Riverforest-wp 1 Media From Ftp 2025-04-23 8.8 High
The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.
CVE-2023-4013 1 Mooveagency 1 Gdpr Cookie Compliance 2025-04-23 6.5 Medium
The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks