Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-14997 - Bp Xprofile Custom Field Types Plugin
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Bp Xprofile Custom Field Types
CVE-2025-14997
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14996 - As Password Field In Default Registration Form Plugin
The AS Password Field In Default Registration Form plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
As Password Field In Default Registration Form
CVE-2025-14996
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14441 - Popup Builder Block Plugin
The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records.
PLUGIN
Popup Builder Block
CVE-2025-14441
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14438 - Xagio Seo Plugin
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Xagio Seo
CVE-2025-14438
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14120 - Url Image Importer Plugin
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Url Image Importer
CVE-2025-14120
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21677 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21677
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21676 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21676
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21487 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21487
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21485 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21485
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21486 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21486
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0604 - FastDup – Fastest WordPress Migration & Duplicator Plugin
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
PLUGIN
FastDup – Fastest WordPress Migration & Duplicator
CVE-2026-0604
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14153 - Page Expire Popup Plugin
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Page Expire Popup
CVE-2025-14153
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14034 - Wc Support System Plugin
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
PLUGIN
Wc Support System
CVE-2025-14034
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13652 - Favorite Plugin
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Favorite
CVE-2025-13652
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-11723 - Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
PLUGIN
Simply Schedule Appointments Booking
CVE-2025-11723
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13746 - Discussion Board Plugin
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Discussion Board
CVE-2025-13746
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13409 - Form Vibes Plugin
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Form Vibes
CVE-2025-13409
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-11370 - Post Slider Carousel Plugin
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
PLUGIN
Post Slider Carousel
CVE-2025-11370
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21675 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21675
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21673 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21673
Risk Score