Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-11
CVE-2025-2109 - Changeset Plugin
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
PLUGIN
Changeset
CVE-2025-2109
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2542 - Changeset Plugin
The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Changeset
CVE-2025-2542
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2635 - Changeset Plugin
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2025-2635
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2252 - Changeset Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.
PLUGIN
Changeset
CVE-2025-2252
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2224 - Changeset Plugin
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.
PLUGIN
Changeset
CVE-2025-2224
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2186 - Changeset Plugin
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via the ‘automationId’ parameter in all versions up to, and including, 3.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Changeset
CVE-2025-2186
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2577 - Changeset Plugin
The Bitspecter Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Changeset
CVE-2025-2577
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1971 - Changeset Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional…
PLUGIN
Changeset
CVE-2025-1971
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2331 - Changeset Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
PLUGIN
Changeset
CVE-2025-2331
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1973 - Changeset Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Changeset
CVE-2025-1973
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1972 - Changeset Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
PLUGIN
Changeset
CVE-2025-1972
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1970 - Changeset Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Changeset
CVE-2025-1970
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13737 - Changeset Plugin
The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.
PLUGIN
Changeset
CVE-2024-13737
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2025-1802 - Changeset Plugin
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.
PLUGIN
Changeset
CVE-2025-1802
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13923 - Changeset Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.0 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Changeset
CVE-2024-13923
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13558 - Changeset Plugin
The NP Quote Request for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.179 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to read the content of quote requests.
PLUGIN
Changeset
CVE-2024-13558
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13921 - Changeset Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.0 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an…
PLUGIN
Changeset
CVE-2024-13921
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13920 - Changeset Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Changeset
CVE-2024-13920
Risk Score
Threat Entry
Updated 2025-03-26
CVE-2024-13922 - Changeset Plugin
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
PLUGIN
Changeset
CVE-2024-13922
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-2505 - Changeset Plugin
The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Changeset
CVE-2025-2505
Risk Score