Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-12
CVE-2025-14170 - Vimeo Simplegallery Plugin
The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter.
PLUGIN
Vimeo Simplegallery
CVE-2025-14170
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14166 - Wpmastertoolkit Plugin
The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.
PLUGIN
Wpmastertoolkit
CVE-2025-14166
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14391 - Simple Theme Changer Plugin
The Simple Theme Changer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Theme Changer
CVE-2025-14391
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14354 - Doubledome Resource Link Library Plugin
The Resource Library for Logged In Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to perform various unauthorized actions including creating, editing, and deleting resources and categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Doubledome Resource Link Library
CVE-2025-14354
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14165 - Kirimemail Woocommerce Integration Plugin
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Kirimemail Woocommerce Integration
CVE-2025-14165
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14143 - Ayo Shortcodes Plugin
The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ayo Shortcodes
CVE-2025-14143
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14138 - Wplg Default Mail From Plugin
The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wplg Default Mail From
CVE-2025-14138
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14162 - Bmlt Wordpress Satellite Plugin
The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bmlt Wordpress Satellite
CVE-2025-14162
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14161 - Truefy Embed Plugin
The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Truefy Embed
CVE-2025-14161
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14160 - Upcoming For Calendly Plugin
The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Upcoming For Calendly
CVE-2025-14160
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14158 - Coding Blocks Plugin
The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Coding Blocks
CVE-2025-14158
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14064 - Buddytask Plugin
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.
PLUGIN
Buddytask
CVE-2025-14064
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14119 - App Template Blocks For Wpbakery Page Builder Plugin
The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
App Template Blocks For Wpbakery Page Builder
CVE-2025-14119
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14137 - Simple Al Slider Plugin
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Al Slider
CVE-2025-14137
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14132 - Dropdown Category List Plugin
The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Dropdown Category List
CVE-2025-14132
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14129 - Like Dislike Voting Plugin
The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Like Dislike Voting
CVE-2025-14129
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14125 - Omplag Plugin
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Omplag
CVE-2025-14125
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14044 - Logic Pro Plugin
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker…
PLUGIN
Logic Pro
CVE-2025-14044
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14032 - Bold Timeline Lite Plugin
The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'bold_timeline_group' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Timeline Lite
CVE-2025-14032
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14048 - Simplyconvert Plugin
The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simplyconvert
CVE-2025-14048
Risk Score