Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-02
CVE-2025-12685 - Through 1 Plugin
The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.
PLUGIN
Through 1
CVE-2025-12685
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13456 - Before 3 Plugin
The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2025-13456
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13153 - Logo Slider Plugin
The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Logo Slider
CVE-2025-13153
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-14072 - Ninja Forms Plugin
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
PLUGIN
Ninja Forms
CVE-2025-14072
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14998 - Branda White Labeling Plugin
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Branda White Labeling
CVE-2025-14998
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14047 - Wp User Frontend Plugin
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
PLUGIN
Wp User Frontend
CVE-2025-14047
Risk Score
Threat Entry
Updated 2026-01-06
CVE-2026-21428 - Cpp Httplib Plugin
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
PLUGIN
Cpp Httplib
CVE-2026-21428
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21436 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21436
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21437 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21437
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14627 - Wp Ultimate Csv Importer Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform…
PLUGIN
Wp Ultimate Csv Importer
CVE-2025-14627
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14428 - Mystickyelements Plugin
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
PLUGIN
Mystickyelements
CVE-2025-14428
Risk Score
Threat Entry
Updated 2026-01-06
CVE-2026-0544 - School Management System Plugin
A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
PLUGIN
School Management System
CVE-2026-0544
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2025-13820 - Before 7 Plugin
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
PLUGIN
Before 7
CVE-2025-13820
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-28973 - This Issue Affects Pro Bulk Watermark Plugin
Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0.
PLUGIN
This Issue Affects Pro Bulk Watermark
CVE-2025-28973
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-62088 - WooCommerce Plugin
Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7.
PLUGIN
WooCommerce
CVE-2025-62088
Risk Score
Threat Entry
Updated 2025-12-31
CVE-2025-14783 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Easy Digital Downloads
CVE-2025-14783
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13029 - Knowband Mobile App Builder Plugin
The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.
PLUGIN
Knowband Mobile App Builder
CVE-2025-13029
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14434 - Ultimate Post Kit Addons For Elementor Plugin
The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.
PLUGIN
Ultimate Post Kit Addons For Elementor
CVE-2025-14434
Risk Score
Threat Entry
Updated 2025-12-31
CVE-2025-14426 - Strong Testimonials Plugin
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
PLUGIN
Strong Testimonials
CVE-2025-14426
Risk Score
Threat Entry
Updated 2025-12-31
CVE-2025-14509 - Woo Lucky Wheel Plugin
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing…
PLUGIN
Woo Lucky Wheel
CVE-2025-14509
Risk Score