Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-14
CVE-2025-9947 - Custom 404 Pro Plugin
The Custom 404 Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘path’ parameter in all versions up to, and including, 3.12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Custom 404 Pro
CVE-2025-9947
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9626 - Page Blocks Plugin
The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Page Blocks
CVE-2025-9626
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9621 - Widgetpack Comment System Plugin
The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Widgetpack Comment System
CVE-2025-9621
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8606 - Gsheetconnector Gravity Forms Plugin
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.
PLUGIN
Gsheetconnector Gravity Forms
CVE-2025-8606
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-6439 - Woocommerce Designer Pro Plugin
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
PLUGIN
Woocommerce Designer Pro
CVE-2025-6439
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-7652 - Easy Plugin Stats
The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Plugin Stats
CVE-2025-7652
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8484 - Code Quality Control Tool Plugin
The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
PLUGIN
Code Quality Control Tool
CVE-2025-8484
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10190 - Wp Easy Toggles Plugin
The WP Easy Toggles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggles' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Toggles
CVE-2025-10190
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10376 - Course Redirects For Learndash Plugin
The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Course Redirects For Learndash
CVE-2025-10376
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10375 - Web Accessibility By Accessibe Plugin
The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Web Accessibility By Accessibe
CVE-2025-10375
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10175 - Wp Links Page Plugin
The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Links Page
CVE-2025-10175
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10167 - Stock Snapshot For Woocommerce Plugin
The Stock History & Reports Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_stock_snapshot_restocked shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stock Snapshot For Woocommerce
CVE-2025-10167
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10129 - Wp Webcam Widget Shortcode Plugin
The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Webcam Widget Shortcode
CVE-2025-10129
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-6553 - Ovatheme Events Manager Plugin
The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Ovatheme Events Manager
CVE-2025-6553
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11518 - Wpc Smart Wishlist For Woocommerce Plugin
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.
PLUGIN
Wpc Smart Wishlist For Woocommerce
CVE-2025-11518
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11254 - Sell With Paypal And Stripe Plugin
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Sell With Paypal And Stripe
CVE-2025-11254
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11167 - Tailored Tool For Seamless Login And Invitation Based Registrations Plugin
The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Tailored Tool For Seamless Login And Invitation Based Registrations
CVE-2025-11167
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11533 - Wp Freeio Plugin
The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
PLUGIN
Wp Freeio
CVE-2025-11533
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9496 - Enable Media Replace Plugin
The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file_modified shortcode in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Enable Media Replace
CVE-2025-9496
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9196 - Text To Speech Ai Audio Player To Convert Content Into Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
PLUGIN
Text To Speech Ai Audio Player To Convert Content Into Audio
CVE-2025-9196
Risk Score