Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-26
CVE-2025-10037 - Featured Image From Url Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Featured Image From Url
CVE-2025-10037
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10036 - Featured Image From Url Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Featured Image From Url
CVE-2025-10036
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-9044 - Mapster Wp Maps Plugin
The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mapster Wp Maps
CVE-2025-9044
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10745 - Block Bad Users And Bots Plugin
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5() and base64_encode() and then stored in the `banhammer_secret_key` option. This makes it possible for unauthenticated attackers to bypass the plugin’s logging and blocking by appending a GET parameter named `banhammer-process_{SECRET}` where `{SECRET}` is the predictable value, thereby causing Banhammer to abort its protections for that…
PLUGIN
Block Bad Users And Bots
CVE-2025-10745
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10377 - System Dashboard Plugin
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() function. This makes it possible for unauthenticated attackers to toggle critical logging settings including Page Access Logs, Error Logs, and Email Delivery Logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
System Dashboard
CVE-2025-10377
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10173 - All In One Woocommerce Solution Plugin
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
PLUGIN
All In One Woocommerce Solution
CVE-2025-10173
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-8906 - Widgets For Tiktok Feed Plugin
The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widgets For Tiktok Feed
CVE-2025-8906
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-8200 - Mega Elements Addons For Elementor Plugin
The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mega Elements Addons For Elementor
CVE-2025-8200
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10752 - Miniorange Login With Eve Online Google Facebook Plugin
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Miniorange Login With Eve Online Google Facebook
CVE-2025-10752
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10178 - Cm Business Directory Plugin
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cm Business Directory
CVE-2025-10178
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-9353 - Themify Builder Plugin
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.
PLUGIN
Themify Builder
CVE-2025-9353
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-9054 - Multiloca Woocommerce Multi Locations Inventory Management Plugin
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Multiloca Woocommerce Multi Locations Inventory Management
CVE-2025-9054
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-10412 - WooCommerce Plugin
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
WooCommerce
CVE-2025-10412
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-10147 - Podlove Podcasting Plugin For Wordpress
The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Podlove Podcasting Plugin For Wordpress
CVE-2025-10147
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-8282 - Before 1 Plugin
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-8282
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-9321 - Wpcasa Plugin
The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.
PLUGIN
Wpcasa
CVE-2025-9321
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-8902 - Widget Options Extended Plugin
The Widget Options - Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'do_sidebar' shortcode in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widget Options Extended
CVE-2025-8902
Risk Score
Threat Entry
Updated 2025-09-24
CVE-2025-10380 - Acf Views Plugin
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.
PLUGIN
Acf Views
CVE-2025-10380
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-57977 - WooCommerce Plugin
Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through 6.0.13.
PLUGIN
WooCommerce
CVE-2025-57977
Risk Score
Threat Entry
Updated 2025-10-24
CVE-2025-57923 - Exposes The Api Key Plugin
An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2.
PLUGIN
Exposes The Api Key
CVE-2025-57923
Risk Score