Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2696 - Before 5 Plugin
The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (including private posts) in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can brute-force the filenames to gain access to sensitive data contained within the exported files.
PLUGIN
Before 5
CVE-2026-2696
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2626 - Before 5 Plugin
The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection
PLUGIN
Before 5
CVE-2026-2626
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1867 - Before 5 Plugin
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address.
PLUGIN
Before 5
CVE-2026-1867
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14124 - Before 5 Plugin
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
PLUGIN
Before 5
CVE-2025-14124
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2025-12569 - Before 5 Plugin
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
PLUGIN
Before 5
CVE-2025-12569
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2025-8113 - Before 5 Plugin
The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Before 5
CVE-2025-8113
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-6715 - Before 5 Plugin
The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Before 5
CVE-2025-6715
Risk Score
Threat Entry
Updated 2025-06-26
CVE-2025-5209 - Before 5 Plugin
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Before 5
CVE-2025-5209
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-1485 - Before 5 Plugin
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2025-1485
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-13382 - Before 5 Plugin
The Calculated Fields Form WordPress plugin before 5.2.64 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-13382
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2024-12743 - Before 5 Plugin
The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-12743
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13381 - Before 5 Plugin
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-13381
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-12273 - Before 5 Plugin
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-12273
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-0671 - Before 5 Plugin
The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2025-0671
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-11924 - Before 5 Plugin
The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-11924
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13602 - Before 5 Plugin
The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-13602
Risk Score
Threat Entry
Updated 2025-05-20
CVE-2024-12737 - Before 5 Plugin
The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 5
CVE-2024-12737
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-12772 - Before 5 Plugin
The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.
PLUGIN
Before 5
CVE-2024-12772
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-12400 - Before 5 Plugin
The tourmaster WordPress plugin before 5.3.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
PLUGIN
Before 5
CVE-2024-12400
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2024-12568 - Before 5 Plugin
The Email Subscribers by Icegram Express WordPress plugin before 5.7.45 does not sanitise and escape some of its Workflow settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-12568
Risk Score