Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-09
CVE-2026-4079 - Before 2 Plugin
The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
PLUGIN
Before 2
CVE-2026-4079
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1969 - Before 2 Plugin
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
PLUGIN
Before 2
CVE-2026-1969
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2631 - Before 2 Plugin
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
PLUGIN
Before 2
CVE-2026-2631
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2025-15386 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.
PLUGIN
Before 2
CVE-2025-15386
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0658 - Before 2 Plugin
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
PLUGIN
Before 2
CVE-2026-0658
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14975 - Before 2 Plugin
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
PLUGIN
Before 2
CVE-2025-14975
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14719 - Before 2 Plugin
The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks
PLUGIN
Before 2
CVE-2025-14719
Risk Score
Threat Entry
Updated 2025-12-29
CVE-2025-13407 - Before 2 Plugin
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
PLUGIN
Before 2
CVE-2025-13407
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-13307 - Before 2 Plugin
The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.
PLUGIN
Before 2
CVE-2025-13307
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12841 - Before 2 Plugin
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
PLUGIN
Before 2
CVE-2025-12841
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13073 - Before 2 Plugin
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2025-13073
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13072 - Before 2 Plugin
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 2
CVE-2025-13072
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13031 - Before 2 Plugin
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2025-13031
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-12954 - Before 2 Plugin
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
PLUGIN
Before 2
CVE-2025-12954
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2025-12394 - Before 2 Plugin
The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.
PLUGIN
Before 2
CVE-2025-12394
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-9501 - Before 2 Plugin
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
PLUGIN
Before 2
CVE-2025-9501
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-11154 - Before 2 Plugin
The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.
PLUGIN
Before 2
CVE-2025-11154
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-9978 - Before 2 Plugin
The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability.
PLUGIN
Before 2
CVE-2025-9978
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8594 - Before 2 Plugin
The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.
PLUGIN
Before 2
CVE-2025-8594
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10357 - Before 2 Plugin
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-10357
Risk Score