Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-13529 - Unify Plugin
The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter.
PLUGIN
Unify
CVE-2025-13529
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13657 - Helpdesk Contact Form Plugin
The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Helpdesk Contact Form
CVE-2025-13657
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13493 - Latest Registered Users Plugin
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
PLUGIN
Latest Registered Users
CVE-2025-13493
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13497 - Recras Wordpress Plugin
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recras Wordpress
CVE-2025-13497
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13519 - Svg Map By Saedi Plugin
The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Svg Map By Saedi
CVE-2025-13519
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13496 - Moosend Landing Pages Plugin
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value.
PLUGIN
Moosend Landing Pages
CVE-2025-13496
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13527 - Xshare Plugin
The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Xshare
CVE-2025-13527
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13521 - Wp Change Status Notifier Plugin
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Change Status Notifier
CVE-2025-13521
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13520 - Mtcaptcha Wordpress Plugin
The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mtcaptcha Wordpress
CVE-2025-13520
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13371 - Money Space Plugin
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes…
PLUGIN
Money Space
CVE-2025-13371
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13418 - Dk Pricr Responsive Pricing Table Plugin
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dk Pricr Responsive Pricing Table
CVE-2025-13418
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13369 - Woo Customers Manager Plugin
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Woo Customers Manager
CVE-2025-13369
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13419 - Wp Front User Submit Plugin
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments.
PLUGIN
Wp Front User Submit
CVE-2025-13419
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12648 - Wp Members Plugin
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files//) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
PLUGIN
Wp Members
CVE-2025-12648
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12958 - Rankology Seo And Analytics Tool Plugin
The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks.
PLUGIN
Rankology Seo And Analytics Tool
CVE-2025-12958
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12449 - Wordpress Gutenberg Blocks Plugin
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
PLUGIN
Wordpress Gutenberg Blocks
CVE-2025-12449
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12540 - Sharethis Dashboard For Google Analytics Plugin
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.
PLUGIN
Sharethis Dashboard For Google Analytics
CVE-2025-12540
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12030 - Acf To Rest Api Plugin
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id}…
PLUGIN
Acf To Rest Api
CVE-2025-12030
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21492 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21492
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21494 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21494
Risk Score