Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6295

Publication date:
18/12/2023
The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-47741

Publication date:
18/12/2023
<br /> IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. A malicious actor with access to the victim&amp;#39;s PC could exploit this vulnerability to gain access to the IBM i operating system. IBM X-Force ID: 272532.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2023

CVE-2023-4311

Publication date:
18/12/2023
The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-4724

Publication date:
18/12/2023
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2025

CVE-2023-5005

Publication date:
18/12/2023
The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Severity CVSS v4.0: Pending analysis
Last modification:
07/05/2025

CVE-2023-5348

Publication date:
18/12/2023
The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-5882

Publication date:
18/12/2023
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-5886

Publication date:
18/12/2023
The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution.
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-5949

Publication date:
18/12/2023
The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts&amp;#39; content.
Severity CVSS v4.0: Pending analysis
Last modification:
20/12/2023

CVE-2023-6065

Publication date:
18/12/2023
The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn&amp;#39;t restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site&amp;#39;s code
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-6077

Publication date:
18/12/2023
The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected
Severity CVSS v4.0: Pending analysis
Last modification:
21/12/2023

CVE-2023-6203

Publication date:
18/12/2023
The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2024