Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-20
CVE-2026-5776 - Before 2 Plugin
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
PLUGIN
Before 2
CVE-2026-5776
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-3220 - Before 2 Plugin
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
PLUGIN
Before 2
CVE-2026-3220
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-1631 - Before 2 Plugin
The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4's license key due to a missing capability check on the 'actions' function. This makes it possible for subscribers and above delete the license key.
PLUGIN
Before 2
CVE-2026-1631
Risk Score
Threat Entry
Updated 2026-04-28
CVE-2026-5306 - Before 2 Plugin
The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled
PLUGIN
Before 2
CVE-2026-5306
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-4512 - Before 2 Plugin
The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.
PLUGIN
Before 2
CVE-2026-4512
Risk Score
Threat Entry
Updated 2026-04-09
CVE-2026-4079 - Before 2 Plugin
The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
PLUGIN
Before 2
CVE-2026-4079
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1969 - Before 2 Plugin
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
PLUGIN
Before 2
CVE-2026-1969
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2631 - Before 2 Plugin
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
PLUGIN
Before 2
CVE-2026-2631
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2025-15386 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.
PLUGIN
Before 2
CVE-2025-15386
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0658 - Before 2 Plugin
The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.
PLUGIN
Before 2
CVE-2026-0658
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14975 - Before 2 Plugin
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
PLUGIN
Before 2
CVE-2025-14975
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14719 - Before 2 Plugin
The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks
PLUGIN
Before 2
CVE-2025-14719
Risk Score
Threat Entry
Updated 2025-12-29
CVE-2025-13407 - Before 2 Plugin
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
PLUGIN
Before 2
CVE-2025-13407
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-13307 - Before 2 Plugin
The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.
PLUGIN
Before 2
CVE-2025-13307
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12841 - Before 2 Plugin
The Bookit WordPress plugin before 2.5.1 has a publicly accessible REST endpoint that allows unauthenticated update of the plugins Stripe payment options.
PLUGIN
Before 2
CVE-2025-12841
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13073 - Before 2 Plugin
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2025-13073
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13072 - Before 2 Plugin
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 2
CVE-2025-13072
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13031 - Before 2 Plugin
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
PLUGIN
Before 2
CVE-2025-13031
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-12954 - Before 2 Plugin
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
PLUGIN
Before 2
CVE-2025-12954
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2025-12394 - Before 2 Plugin
The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.
PLUGIN
Before 2
CVE-2025-12394
Risk Score