LiveActive security incident?Get immediate response
CVE archive

July 2023

Browse CVE records published in July 2023, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2181 matching CVEs · Page 3 of 44.

Medium · CVSS 4.3

CVE-2023-2561: Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove

The Gallery Metabox for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gallery_remove function in versions up to, and including, 1.5. This makes it possible for subscriber-level attackers to modify galleries attached to posts and pages with this plugin.

Published Jul 12, 2023 · Updated Apr 8, 2026

High · CVSS 7.2

CVE-2023-3087: FluentSMTP <= 2.2.4 - Unauthenticated Stored Cross-Site Scripting via Email Subject

The FluentSMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published Jul 12, 2023 · Updated Apr 8, 2026

High · CVSS 7.5

CVE-2023-3813: Jupiter X Core <= 4.6.6 - Unauthenticated Arbitrary File Download

The Jupiter X Core plugin for WordPress is vulnerable to arbitrary file downloads in versions up to, and including, 4.6.6. This makes it possible for unauthenticated attackers to download the contents of arbitrary files on the server, which can contain sensitive information. The requires the premium version of the plugin to be activated. NOTE: This vulnerability was partially patched in version 4.6.5 and fully patched in version 4.6.9.

Published Jul 21, 2023 · Updated Apr 8, 2026

High · CVSS 7.2

CVE-2023-3081: WP Mail Logging <= 1.11.1 - Unauthenticated Stored Cross-Site Scripting via Email

The WP Mail Logging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 1.11.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: An incomplete fix was released in 1.11.1.

Published Jul 12, 2023 · Updated Apr 8, 2026

Medium · CVSS 6.4

CVE-2023-2082: Buy Me a Coffee – Button and Widget Plugin <= 3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.6 due to insufficient sanitization and escaping on the 'text value set via the bmc_post_reception action. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to inject arbitrary web scripts into pages that execute whenever a victim accesses a page with the injected scripts.

Published Jul 14, 2023 · Updated Apr 8, 2026