Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-08
CVE-2024-13342 - Woocommerce Jetpack Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
PLUGIN
Woocommerce Jetpack
CVE-2024-13342
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8150 - Events Addon For Elementor Plugin
The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Events Addon For Elementor
CVE-2025-8150
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9441 - Iats Online Forms Plugin
The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Iats Online Forms
CVE-2025-9441
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9374 - Utw Importer Plugin
The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Utw Importer
CVE-2025-9374
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8619 - Osm Map Elementor Plugin
The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map Block URL in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Osm Map Elementor
CVE-2025-8619
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8290 - List Sub Pages Plugin
The List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
List Sub Pages
CVE-2025-8290
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8147 - Lwscache Plugin
The LWSCache plugin for WordPress is vulnerable to unauthorized modification of data due to improper authorization on the lwscache_activatePlugin() function in all versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate arbitrary whitelisted LWS plugins.
PLUGIN
Lwscache
CVE-2025-8147
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-53243 - Team Directory Plugin
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress allows Object Injection. This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress: from n/a through 4.5.3.
PLUGIN
Team Directory
CVE-2025-53243
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9376 - He Block Bad Bots And Stop Bad Bots Crawlers And Spiders And Anti Spam Protection Plugin
The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality.
PLUGIN
He Block Bad Bots And Stop Bad Bots Crawlers And Spiders And Anti Spam Protection
CVE-2025-9376
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8073 - Dynamic Ajax Product Filters For Woocommerce Plugin
The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dynamic Ajax Product Filters For Woocommerce
CVE-2025-8073
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-6255 - Dynamic Ajax Product Filters For Woocommerce Plugin
The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dynamic Ajax Product Filters For Woocommerce
CVE-2025-6255
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-7955 - Rccp Free Plugin
The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes.
PLUGIN
Rccp Free
CVE-2025-7955
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-7956 - Ajax Search Lite Plugin
The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100‑character windows.
PLUGIN
Ajax Search Lite
CVE-2025-7956
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13807 - Xagio Seo Plugin
The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files.
PLUGIN
Xagio Seo
CVE-2024-13807
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8977 - Simple Download Monitor Plugin
The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Simple Download Monitor
CVE-2025-8977
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9346 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booking Calendar
CVE-2025-9346
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-9345 - And Backup By Managefy Plugin
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory.
PLUGIN
And Backup By Managefy
CVE-2025-9345
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-8603 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unlimited Elements For Elementor
CVE-2025-8603
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-9648 - Wp Ulike Pro Plugin
The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch…
PLUGIN
Wp Ulike Pro
CVE-2024-9648
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-7812 - Turnkey Video Site Builder Script Plugin
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Turnkey Video Site Builder Script
CVE-2025-7812
Risk Score