Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-14
CVE-2025-28975 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison allows Reflected XSS. This issue affects Alike - WordPress Custom Post Comparison: from n/a through 3.0.1.
CORE
WordPress Core
CVE-2025-28975
Risk Score
Threat Entry
Updated 2025-08-14
CVE-2025-8047 - WordPress Core
The disable-right-click-powered-by-pixterme through v1.2 and pixter-image-digital-license thtough v1.0 WordPress plugins load a JavaScript file which has been compromised from an apparent abandoned S3 bucket. It can be used as a backdoor by those who control it, but it currently displays an alert marketing security services. Users that pay are added to allowedDomains to suppress the popup.
CORE
WordPress Core
CVE-2025-8047
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-54940 - WordPress Core
An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.
CORE
WordPress Core
CVE-2025-54940
Risk Score
Threat Entry
Updated 2025-08-06
CVE-2025-6994 - WordPress Core
The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
CORE
WordPress Core
CVE-2025-6994
Risk Score
Threat Entry
Updated 2025-08-04
CVE-2025-7710 - WordPress Core
The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.
CORE
WordPress Core
CVE-2025-7710
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-54352 - WordPress Core
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
CORE
WordPress Core
CVE-2025-54352
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-47554 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.6.
CORE
WordPress Core
CVE-2025-47554
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-46500 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Wordpress Auto Spinner allows Reflected XSS. This issue affects Wordpress Auto Spinner: from n/a through 3.25.0.
CORE
WordPress Core
CVE-2025-46500
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-31427 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS. This issue affects Invico - WordPress Consulting Business Theme: from n/a through 1.9.
CORE
WordPress Core
CVE-2025-31427
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-31072 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Ofiz - WordPress Business Consulting Theme allows Reflected XSS. This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through 2.0.
CORE
WordPress Core
CVE-2025-31072
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-31055 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vergatheme Electrician - Electrical Service WordPress allows Reflected XSS. This issue affects Electrician - Electrical Service WordPress: from n/a through 1.0.
CORE
WordPress Core
CVE-2025-31055
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-24759 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3.
CORE
WordPress Core
CVE-2025-24759
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-48294 - WordPress Core
Server-Side Request Forgery (SSRF) vulnerability in Kerfred FG Drupal to WordPress allows Server Side Request Forgery. This issue affects FG Drupal to WordPress: from n/a through 3.90.0.
CORE
WordPress Core
CVE-2025-48294
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-7518 - WordPress Core
The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CORE
WordPress Core
CVE-2025-7518
Risk Score
Threat Entry
Updated 2025-06-30
CVE-2025-53270 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA allows Cross Site Request Forgery. This issue affects WordPress CTA: from n/a through 1.6.9.
CORE
WordPress Core
CVE-2025-53270
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-50050 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress allows Stored XSS. This issue affects Jobs for WordPress: from n/a through 2.7.12.
CORE
WordPress Core
CVE-2025-50050
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-50010 - WordPress Core
Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.
CORE
WordPress Core
CVE-2025-50010
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2025-48333 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a.
CORE
WordPress Core
CVE-2025-48333
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-6003 - WordPress Core
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.
CORE
WordPress Core
CVE-2025-6003
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4601 - WordPress Core
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user roles that can be updated as part of the inspiry_update_profile() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to set their role to that of an administrator. The vulnerability was partially patched in version 4.4.0, and fully patched in version 4.4.1.
CORE
WordPress Core
CVE-2025-4601
Risk Score