Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-04
CVE-2025-11922 - Inactive Logout Plugin
The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Inactive Logout
CVE-2025-11922
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11816 - Wp Legal Pages Plugin
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.
PLUGIN
Wp Legal Pages
CVE-2025-11816
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11174 - Document Library Lite Plugin
The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint.
PLUGIN
Document Library Lite
CVE-2025-11174
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12521 - Analytify Pro Plugin
The Analytify Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.0.3 via the Analytify Tag HTML details. This makes it possible for unauthenticated attackers to extract usernames from source code. While we generally do not assign CVE IDs to username exposure issues, this vendor has specifically requested we consider it a vulnerability.
PLUGIN
Analytify Pro
CVE-2025-12521
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12115 - Wpc Name Your Price For Woocommerce Plugin
The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to.
PLUGIN
Wpc Name Your Price For Woocommerce
CVE-2025-12115
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12041 - Eri File Library Plugin
The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.
PLUGIN
Eri File Library
CVE-2025-12041
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-8383 - Depicter Plugin
The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Depicter
CVE-2025-8383
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12094 - Oopspam Anti Spam Plugin
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
PLUGIN
Oopspam Anti Spam
CVE-2025-12094
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12175 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.
PLUGIN
The Events Calendar
CVE-2025-12175
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-8385 - Zombify Plugin
The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately.
PLUGIN
Zombify
CVE-2025-8385
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-8489 - King Addons Plugin
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
PLUGIN
King Addons
CVE-2025-8489
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-7846 - Wordpress User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wordpress User Extra Fields
CVE-2025-7846
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-11191 - Before 1 Plugin
The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.
PLUGIN
Before 1
CVE-2025-11191
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11806 - Qzzr Shortcode Plugin
The Qzzr Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qzzr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'quiz' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Qzzr Shortcode
CVE-2025-11806
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11975 - Changeset Plugin
The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.
PLUGIN
Changeset
CVE-2025-11975
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11881 - Mobile App Framework Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.
PLUGIN
Mobile App Framework
CVE-2025-11881
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11627 - Site Checkup Plugin
The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause denial of service via disk space exhaustion.
PLUGIN
Site Checkup
CVE-2025-11627
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-10636 - Ns Maintenance Mode For Wp Plugin
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ns Maintenance Mode For Wp
CVE-2025-10636
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-10008 - Weglot Plugin
The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.
PLUGIN
Weglot
CVE-2025-10008
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-12475 - Blocksy Companion Plugin
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blocksy Companion
CVE-2025-12475
Risk Score