Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-4432 - Before 4 Plugin
The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.
PLUGIN
Before 4
CVE-2026-4432
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1368 - Before 4 Plugin
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
PLUGIN
Before 4
CVE-2026-1368
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14719 - Before 4 Plugin
The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks
PLUGIN
Before 4
CVE-2025-14719
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13153 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2025-13153
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14434 - Before 4 Plugin
The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.
PLUGIN
Before 4
CVE-2025-14434
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-8944 - Before 4 Theme
The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting.
THEME
Before 4
CVE-2025-8944
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-3951 - Before 4 Plugin
The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
PLUGIN
Before 4
CVE-2025-3951
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-9599 - Before 4 Plugin
The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9599
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9236 - Before 4 Plugin
The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-9236
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8619 - Before 4 Plugin
The Ajax Search Lite WordPress plugin before 4.12.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-8619
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-8009 - Before 4 Plugin
The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
PLUGIN
Before 4
CVE-2024-8009
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6667 - Before 4 Plugin
The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin.
PLUGIN
Before 4
CVE-2024-6667
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-6665 - Before 4 Plugin
The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-6665
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-5026 - Before 4 Plugin
The CM Tooltip Glossary WordPress plugin before 4.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Before 4
CVE-2024-5026
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13730 - Before 4 Plugin
The Podlove Podcast Publisher WordPress plugin before 4.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-13730
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13729 - Before 4 Plugin
The Podlove Podcast Publisher WordPress plugin before 4.1.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-13729
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2024-13128 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-13128
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2024-13127 - Before 4 Plugin
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-13127
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-12770 - Before 4 Plugin
The WP ULike WordPress plugin before 4.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2024-12770
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-0970 - Before 4 Plugin
This User Activity Tracking and Log WordPress plugin before 4.1.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.
PLUGIN
Before 4
CVE-2024-0970
Risk Score