Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-30
CVE-2025-13000 - Through 0 Plugin
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
PLUGIN
Through 0
CVE-2025-13000
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2025-12629 - Through 0 Plugin
The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Through 0
CVE-2025-12629
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-12502 - Through 0 Plugin
The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks
PLUGIN
Through 0
CVE-2025-12502
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0688 - Through 0 Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Through 0
CVE-2025-0688
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0687 - Through 0 Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Through 0
CVE-2025-0687
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-8090 - Through 0 Plugin
The JavaScript Logic WordPress plugin through 0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Through 0
CVE-2024-8090
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8082 - Through 0 Plugin
The Widgets Reset WordPress plugin through 0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 0
CVE-2024-8082
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-6712 - Through 0 Plugin
The MapFig Studio WordPress plugin through 0.2.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Through 0
CVE-2024-6712
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-7556 - Through 0 Plugin
The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 0
CVE-2024-7556
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-12726 - Through 0 Plugin
The ClipArt WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 0
CVE-2024-12726
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-11266 - Through 0 Plugin
The Geocache Stat Bar Widget WordPress plugin through 0.911 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 0
CVE-2024-11266
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-2558 - Through 0 Theme
The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server
THEME
Through 0
CVE-2025-2558
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2024-6860 - Through 0 Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack
PLUGIN
Through 0
CVE-2024-6860
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2024-6857 - Through 0 Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack
PLUGIN
Through 0
CVE-2024-6857
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-13617 - Through 0 Plugin
The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server
PLUGIN
Through 0
CVE-2024-13617
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2024-13618 - Through 0 Plugin
The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
PLUGIN
Through 0
CVE-2024-13618
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13878 - Through 0 Plugin
The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 0
CVE-2024-13878
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13876 - Through 0 Plugin
The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 0
CVE-2024-13876
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13885 - Through 0 Plugin
The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 0
CVE-2024-13885
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13493 - Through 0 Plugin
The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 0
CVE-2024-13493
Risk Score