Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-5884

Publication date:
04/12/2023
The Word Balloon WordPress plugin before 4.20.3 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to trick a logged in user to delete arbitrary avatars by clicking a link.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-5979

Publication date:
04/12/2023
The eCommerce Product Catalog Plugin for WordPress plugin before 3.3.26 does not have CSRF checks in some of its admin pages, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as delete all products
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-5990

Publication date:
04/12/2023
The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-6063

Publication date:
04/12/2023
The WP Fastest Cache WordPress plugin before 1.2.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users.
Severity CVSS v4.0: Pending analysis
Last modification:
08/12/2023

CVE-2023-5952

Publication date:
04/12/2023
The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2023-5951

Publication date:
04/12/2023
The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
20/02/2025

CVE-2023-5953

Publication date:
04/12/2023
The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server
Severity CVSS v4.0: Pending analysis
Last modification:
29/05/2025

CVE-2023-4460

Publication date:
04/12/2023
The Uploading SVG, WEBP and ICO files WordPress plugin through 1.2.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
Severity CVSS v4.0: Pending analysis
Last modification:
01/10/2024

CVE-2023-5105

Publication date:
04/12/2023
The Frontend File Manager Plugin WordPress plugin before 22.6 has a vulnerability that allows an Editor+ user to bypass the file download logic and download files such as `wp-config.php`
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-5108

Publication date:
04/12/2023
The Easy Newsletter Signups WordPress plugin through 1.0.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-5141

Publication date:
04/12/2023
The BSK Contact Form 7 Blacklist WordPress plugin through 1.0.1 does not sanitise and escape the inserted_count parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023

CVE-2023-5210

Publication date:
04/12/2023
The AMP+ Plus WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Severity CVSS v4.0: Pending analysis
Last modification:
07/12/2023