Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-08
CVE-2025-10587 - Community Events Plugin
The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Community Events
CVE-2025-10587
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10494 - Classified Listings Plugin
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Classified Listings
CVE-2025-10494
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10645 - Wp Reset Plugin
The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.
PLUGIN
Wp Reset
CVE-2025-10645
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-7400 - Changeset Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2.
PLUGIN
Changeset
CVE-2025-7400
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10162 - Before 14 Does Not Validate The Path Of Files To Be Downloaded Plugin
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
PLUGIN
Before 14 Does Not Validate The Path Of Files To Be Downloaded
CVE-2025-10162
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9710 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.3 does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2025-9710
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9703 - Before 2 Plugin
The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.
PLUGIN
Before 2
CVE-2025-9703
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9952 - Text To Speech Ai Audio Player To Convert Content Into Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Text To Speech Ai Audio Player To Convert Content Into Audio
CVE-2025-9952
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9886 - Trinity Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Trinity Audio
CVE-2025-9886
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10383 - Contest Gallery Plugin
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contest Gallery
CVE-2025-10383
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9485 - Miniorange Login With Eve Online Google Facebook Plugin
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
PLUGIN
Miniorange Login With Eve Online Google Facebook
CVE-2025-9485
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9243 - Cost Calculator Builder Plugin
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status.
PLUGIN
Cost Calculator Builder
CVE-2025-9243
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9030 - Majestic Before After Image Plugin
The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Majestic Before After Image
CVE-2025-9030
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-8726 - Wp Photo Album Plus Plugin
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
PLUGIN
Wp Photo Album Plus
CVE-2025-8726
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9029 - Widget Builder Plugin
The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
PLUGIN
Widget Builder
CVE-2025-9029
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11228 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
PLUGIN
Givewp
CVE-2025-11228
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11227 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
PLUGIN
Givewp
CVE-2025-11227
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10746 - Integrate Dynamics 365 Crm Plugin
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
PLUGIN
Integrate Dynamics 365 Crm
CVE-2025-10746
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9892 - Restrict User Registration Plugin
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Restrict User Registration
CVE-2025-9892
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9945 - Optimize More Css Plugin
The Optimize More! – CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Optimize More Css
CVE-2025-9945
Risk Score