Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-13
CVE-2025-10124 - Before 2 Plugin
The Booking Manager WordPress plugin before 2.1.15 registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted.
PLUGIN
Before 2
CVE-2025-10124
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9710 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.3 does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2025-9710
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9703 - Before 2 Plugin
The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.
PLUGIN
Before 2
CVE-2025-9703
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-8942 - Before 2 Plugin
The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipulate the rating value (e.g., sending negative or out-of-range values) by intercepting and modifying requests.
PLUGIN
Before 2
CVE-2025-8942
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-6200 - Before 2 Plugin
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-6200
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-5093 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-5093
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-5035 - Before 2 Plugin
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-5035
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5194 - Before 2 Plugin
The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-5194
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-5526 - Before 2 Plugin
The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user
PLUGIN
Before 2
CVE-2025-5526
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2025-3516 - Before 2 Plugin
The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-3516
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2025-3201 - Before 2 Plugin
The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-3201
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9765 - Before 2 Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
PLUGIN
Before 2
CVE-2024-9765
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9879 - Before 2 Plugin
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 2
CVE-2024-9879
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9711 - Before 2 Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 2
CVE-2024-9711
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9709 - Before 2 Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Before 2
CVE-2024-9709
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9663 - Before 2 Plugin
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-9663
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9662 - Before 2 Plugin
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-9662
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-9645 - Before 2 Plugin
The Post Grid, Posts Slider, Posts Carousel, Post Filter, Post Masonry WordPress plugin before 2.2.93 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2024-9645
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9182 - Before 2 Plugin
The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.
PLUGIN
Before 2
CVE-2024-9182
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8620 - Before 2 Plugin
The MapPress Maps for WordPress plugin before 2.93 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-8620
Risk Score