Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-30
CVE-2025-8889 - Before 1 Plugin
The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Before 1
CVE-2025-8889
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-8046 - Before 1 Plugin
The Injection Guard WordPress plugin before 1.2.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Before 1
CVE-2025-8046
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2025-7808 - Before 1 Plugin
The WP Shopify WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2025-7808
Risk Score
Threat Entry
Updated 2025-08-14
CVE-2025-3414 - Before 1 Plugin
The Structured Content (JSON-LD) #wpsc WordPress plugin before 1.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-3414
Risk Score
Threat Entry
Updated 2025-08-06
CVE-2025-5921 - Before 1 Plugin
The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users.
PLUGIN
Before 1
CVE-2025-5921
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-6236 - Before 1 Plugin
The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2025-6236
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-6234 - Before 1 Plugin
The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 1
CVE-2025-6234
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-5730 - Before 1 Plugin
The Contact Form Plugin WordPress plugin before 1.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-5730
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-5125 - Before 1 Plugin
The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.
PLUGIN
Before 1
CVE-2025-5125
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-4955 - Before 1 Plugin
The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and above to perform Stored Cross-site Scripting attacks.
PLUGIN
Before 1
CVE-2025-4955
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4652 - Before 1 Plugin
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 1
CVE-2025-4652
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-1627 - Before 1 Plugin
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-1627
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-1626 - Before 1 Plugin
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Countdown block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-1626
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-1625 - Before 1 Plugin
The Qi Blocks WordPress plugin before 1.4 does not validate and escape some of its Counter block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-1625
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9882 - Before 1 Plugin
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2024-9882
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2024-9450 - Before 1 Plugin
The Free Booking Plugin for Hotels, Restaurants and Car Rentals WordPress plugin before 1.3.15 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in subscriber change them via a CSRF attack
PLUGIN
Before 1
CVE-2024-9450
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9238 - Before 1 Plugin
The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.
PLUGIN
Before 1
CVE-2024-9238
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8854 - Before 1 Plugin
The Polls CP WordPress plugin before 1.0.77 does not sanitise and escape some of its poll settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multi site setup).
PLUGIN
Before 1
CVE-2024-8854
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-8673 - Before 1 Plugin
The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
PLUGIN
Before 1
CVE-2024-8673
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-8699 - Before 1 Plugin
The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-8699
Risk Score