Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-12
CVE-2025-14035 - Debatemaster Plugin
The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the debate shortcode. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Debatemaster
CVE-2025-14035
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14062 - Animated Pixel Marquee Creator Plugin
The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Animated Pixel Marquee Creator
CVE-2025-14062
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-14045 - Url Media Uploader Plugin
The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files.
PLUGIN
Url Media Uploader
CVE-2025-14045
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13989 - Wp Dropzone Plugin
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Dropzone
CVE-2025-13989
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13988 - Comments Secretary Plugin
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Comments Secretary
CVE-2025-13988
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13972 - Watchtowerhq Plugin
The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
PLUGIN
Watchtowerhq
CVE-2025-13972
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13975 - Contact Form 7 With Chatwork Plugin
The Contact Form 7 with ChatWork plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_token' and 'roomid' settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses the settings page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Contact Form 7 With Chatwork
CVE-2025-13975
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13971 - Twwc Protein Plugin
The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Twwc Protein
CVE-2025-13971
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13987 - Purchase And Expense Manager Plugin
The Purchase and Expense Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation on the 'sup_pt_handle_deletion' function. This makes it possible for unauthenticated attackers to delete arbitrary purchase records via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Purchase And Expense Manager
CVE-2025-13987
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13969 - Reviews Sorted Plugin
The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Reviews Sorted
CVE-2025-13969
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13966 - Paypal Payments Shortcode Plugin
The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Paypal Payments Shortcode
CVE-2025-13966
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13963 - Fx Currency Converter Plugin
The FX Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fxcc_convert' shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fx Currency Converter
CVE-2025-13963
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13962 - Divelogs Widget Plugin
The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Divelogs Widget
CVE-2025-13962
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13961 - Data Visualizer Plugin
The Data Visualizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'visualize' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Data Visualizer
CVE-2025-13961
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13960 - Gpxpress Plugin
The GPXpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gpxpress' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gpxpress
CVE-2025-13960
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13906 - Wp Flot Plugin
The WP Flot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linechart' shortcode in all versions up to, and including, 0.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Flot
CVE-2025-13906
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13904 - Wpgancio Plugin
The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpgancio
CVE-2025-13904
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13889 - Simple Nivo Slider Plugin
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Nivo Slider
CVE-2025-13889
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13885 - Zenost Shortcodes Plugin
The Zenost Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' and 'target' parameters in the `button` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zenost Shortcodes
CVE-2025-13885
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13884 - Bg Hide Email Address Plugin
The Hide Email Address plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'inline_css' parameter in the `bg-hide-email-address` shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bg Hide Email Address
CVE-2025-13884
Risk Score