Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2023-6049

Publication date:

15/01/2024

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2023-6050

Publication date:

15/01/2024

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2023-6066

Publication date:

15/01/2024

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

Severity CVSS v4.0: Pending analysis

Last modification:

12/05/2025

CVE-2023-6163

Publication date:

15/01/2024

The WP Crowdfunding WordPress plugin before 2.1.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Severity CVSS v4.0: Pending analysis

Last modification:

09/06/2025

CVE-2023-6620

Publication date:

15/01/2024

The POST SMTP Mailer WordPress plugin before 2.8.7 does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2025

CVE-2023-6623

Publication date:

15/01/2024

The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

11/06/2025

CVE-2023-6843

Publication date:

15/01/2024

The easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin before 2.4.7 does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings.

Severity CVSS v4.0: Pending analysis

Last modification:

03/06/2025

CVE-2023-6941

Publication date:

15/01/2024

The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Severity CVSS v4.0: Pending analysis

Last modification:

20/06/2025

CVE-2023-6991

Publication date:

15/01/2024

The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode&#39;s parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.

Severity CVSS v4.0: Pending analysis

Last modification:

11/06/2025

CVE-2024-0314

Publication date:

15/01/2024

XSS vulnerability in FireEye Central Management affecting version 9.1.1.956704, which could allow an attacker to modify special HTML elements in the application and cause a reflected XSS, leading to a session hijacking.

Severity CVSS v4.0: Pending analysis

Last modification:

19/01/2024

CVE-2023-4925

Publication date:

15/01/2024

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Severity CVSS v4.0: Pending analysis

Last modification:

11/06/2025

CVE-2023-50729

Publication date:

15/01/2024

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root user. It is also more dangerous because it can write or overwrite files in arbitrary locations. Version 5.11 was published to fix this vulnerability.

Severity CVSS v4.0: Pending analysis

Last modification:

19/01/2024

Subscribe to Vulnerabilities