Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-22
CVE-2025-7644 - Portfolio Gallery Plugin
The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Portfolio Gallery
CVE-2025-7644
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7495 - Wp Members Plugin
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Members
CVE-2025-7495
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-6831 - User Registration Plugin
The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcr_restrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
User Registration
CVE-2025-6831
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-5240 - Crm And Lead Management By Vcita Plugin
The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Crm And Lead Management By Vcita
CVE-2025-5240
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7486 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Ebook Store
CVE-2025-7486
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7354 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Ultimate
CVE-2025-7354
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-4685 - Page Builder For Gutenberg Editor Plugin
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Page Builder For Gutenberg Editor
CVE-2025-4685
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7369 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.4.2. This is due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. In combination with CVE-2025-7354, it leads to Reflected Cross-Site Scripting.
PLUGIN
Shortcodes Ultimate
CVE-2025-7369
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-6997 - Addons Plugin
The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL’s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject…
PLUGIN
Addons
CVE-2025-6997
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-6721 - Mrkv Vchasno Kasa Plugin
The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders.
PLUGIN
Mrkv Vchasno Kasa
CVE-2025-6721
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-6720 - Mrkv Vchasno Kasa Plugin
The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files.
PLUGIN
Mrkv Vchasno Kasa
CVE-2025-6720
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7697 - Integration For Contact Form 7 And Google Sheets Plugin
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php…
PLUGIN
Integration For Contact Form 7 And Google Sheets
CVE-2025-7697
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7696 - Integration For Contact Form 7 And Pipedrive Plugin
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file…
PLUGIN
Integration For Contact Form 7 And Pipedrive
CVE-2025-7696
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7661 - Martinus Partnersky System Plugin
The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Martinus Partnersky System
CVE-2025-7661
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7658 - Temporarily Hidden Content Plugin
The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Temporarily Hidden Content
CVE-2025-7658
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7655 - Live Stream Badger Plugin
The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Live Stream Badger
CVE-2025-7655
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7653 - Epaybg Payments Plugin
The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'epay' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Epaybg Payments
CVE-2025-7653
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7669 - Avishi Wp Paypal Payment Button Plugin
The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Avishi Wp Paypal Payment Button
CVE-2025-7669
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7444 - Loginpress Pro Plugin
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Loginpress Pro
CVE-2025-7444
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7772 - 1 Toolset For Wordpress Malware Removal Plugin
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
1 Toolset For Wordpress Malware Removal
CVE-2025-7772
Risk Score