Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2343 - Through 2 Plugin
The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.
PLUGIN
Through 2
CVE-2026-2343
Risk Score
Threat Entry
Updated 2026-02-11
CVE-2025-15400 - Through 2 Plugin
The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
PLUGIN
Through 2
CVE-2025-15400
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-13471 - Through 2 Plugin
The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off)
PLUGIN
Through 2
CVE-2025-13471
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14829 - Through 2 Plugin
The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
PLUGIN
Through 2
CVE-2025-14829
Risk Score
Threat Entry
Updated 2025-11-25
CVE-2024-14015 - Through 2 Plugin
The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Through 2
CVE-2024-14015
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11127 - Through 2 Plugin
The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address.
PLUGIN
Through 2
CVE-2025-11127
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-6027 - Through 2 Plugin
The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators.
PLUGIN
Through 2
CVE-2025-6027
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-9544 - Through 2 Plugin
The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).
PLUGIN
Through 2
CVE-2025-9544
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10635 - Through 2 Plugin
The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks
PLUGIN
Through 2
CVE-2025-10635
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-8281 - Through 2 Plugin
The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users.
PLUGIN
Through 2
CVE-2025-8281
Risk Score
Threat Entry
Updated 2025-07-25
CVE-2025-7022 - Through 2 Plugin
The My Reservation System WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Through 2
CVE-2025-7022
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-8398 - Through 2 Plugin
The Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 2
CVE-2024-8398
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-8094 - Through 2 Plugin
The Ntz Antispam WordPress plugin through 2.0e does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 2
CVE-2024-8094
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-7984 - Through 2 Plugin
The Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 2
CVE-2024-7984
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-12750 - Through 2 Plugin
The Competition Form WordPress plugin through 2.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 2
CVE-2024-12750
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-12282 - Through 2 Plugin
The WordPress连接微博 WordPress plugin through 2.5.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Through 2
CVE-2024-12282
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-10677 - Through 2 Plugin
The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 2
CVE-2024-10677
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-11140 - Through 2 Plugin
The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Through 2
CVE-2024-11140
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-0249 - Through 2 Plugin
The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
PLUGIN
Through 2
CVE-2024-0249
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2023-6786 - Through 2 Plugin
The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue
PLUGIN
Through 2
CVE-2023-6786
Risk Score