Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-13
CVE-2025-6715 - Before 5 Plugin
The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Before 5
CVE-2025-6715
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-7384 - Contact Form Entries Plugin
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
PLUGIN
Contact Form Entries
CVE-2025-7384
Risk Score
Threat Entry
Updated 2025-12-18
CVE-2025-8891 - Oceanwp Plugin
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Oceanwp
CVE-2025-8891
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-8491 - Easy Pdf Restaurant Menu Upload Plugin
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Pdf Restaurant Menu Upload
CVE-2025-8491
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-0818 - File Manager Advanced Plugin
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
PLUGIN
File Manager Advanced
CVE-2025-0818
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8418 - B Slider Plugin
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
PLUGIN
B Slider
CVE-2025-8418
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8874 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2025-8874
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8767 - Anwp Football Leagues Plugin
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Anwp Football Leagues
CVE-2025-8767
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8482 - Simple Local Avatars Plugin
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
PLUGIN
Simple Local Avatars
CVE-2025-8482
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-6253 - Free Elementor Widgets And Templates Plugin
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Free Elementor Widgets And Templates
CVE-2025-6253
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8081 - Website Builder Plugin
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Website Builder
CVE-2025-8081
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8059 - B Blocks Plugin
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role.
PLUGIN
B Blocks
CVE-2025-8059
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8314 - Software Issue Manager Plugin
The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Software Issue Manager
CVE-2025-8314
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8690 - Addi Simple Slider Plugin
The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addi Simple Slider
CVE-2025-8690
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8688 - Inline Stock Quotes Plugin
The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Inline Stock Quotes
CVE-2025-8688
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8685 - Wp Chart Generator Plugin
The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Chart Generator
CVE-2025-8685
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8621 - Mosaic Generator Plugin
The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mosaic Generator
CVE-2025-8621
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8568 - Gmap Venturit Plugin
The GMap Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘h’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gmap Venturit
CVE-2025-8568
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8462 - Rt Easy Builder Advanced Addons For Elementor Plugin
The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social URL parameter in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rt Easy Builder Advanced Addons For Elementor
CVE-2025-8462
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-5391 - Wc Purchase Orders Plugin
The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wc Purchase Orders
CVE-2025-5391
Risk Score