Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-25
CVE-2025-7842 - External Rss Reader Plugin
The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
External Rss Reader
CVE-2025-7842
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7841 - Sertifier Certificates Open Badges Plugin
The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Sertifier Certificates Open Badges
CVE-2025-7841
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7642 - Simpler Checkout Plugin
The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.
PLUGIN
Simpler Checkout
CVE-2025-7642
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7821 - Wc Plus Plugin
The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base.
PLUGIN
Wc Plus
CVE-2025-7821
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7839 - Restore Permanently Delete Post Or Page Data Plugin
The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Restore Permanently Delete Post Or Page Data
CVE-2025-7839
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7828 - Wp Filter Combine Rss Feeds Plugin
The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.
PLUGIN
Wp Filter Combine Rss Feeds
CVE-2025-7828
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7827 - Ni Woocommerce Customer Product Report Plugin
The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
PLUGIN
Ni Woocommerce Customer Product Report
CVE-2025-7827
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-8678 - Wp Crontrol Plugin
The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Wp Crontrol
CVE-2025-8678
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-8281 - Wp Talroo Plugin
The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users.
PLUGIN
Wp Talroo
CVE-2025-8281
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-8064 - Bible Supersearch Plugin
The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bible Supersearch
CVE-2025-8064
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-8895 - Wp Webhooks Plugin
The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.
PLUGIN
Wp Webhooks
CVE-2025-8895
Risk Score
Threat Entry
Updated 2025-12-03
CVE-2025-7221 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
PLUGIN
Givewp
CVE-2025-7221
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8102 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Digital Downloads
CVE-2025-8102
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-54677 - Online Booking Scheduling Calendar Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3.
PLUGIN
Online Booking Scheduling Calendar
CVE-2025-54677
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8618 - Woo Smart Quick View Plugin
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woosq_btn shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woo Smart Quick View
CVE-2025-8618
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8289 - Wpcf7 Redirect Plugin
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to…
PLUGIN
Wpcf7 Redirect
CVE-2025-8289
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8145 - Wpcf7 Redirect Plugin
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible
PLUGIN
Wpcf7 Redirect
CVE-2025-8145
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8141 - Wpcf7 Redirect Plugin
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wpcf7 Redirect
CVE-2025-8141
Risk Score
Threat Entry
Updated 2025-08-19
CVE-2025-8783 - Contact Manager Plugin
The Contact Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title’ parameter in all versions up to, and including, 8.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Contact Manager
CVE-2025-8783
Risk Score
Threat Entry
Updated 2025-08-19
CVE-2025-8567 - Plus Addons For Block Editor Plugin
The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Plus Addons For Block Editor
CVE-2025-8567
Risk Score