Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-09
CVE-2025-5567 - Shortcodes Ultimate Plugin
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Ultimate
CVE-2025-5567
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-5933 - Rd Wapp Plugin
The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Rd Wapp
CVE-2025-5933
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-5924 - Wp Firebase Push Notification Plugin
The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Firebase Push Notification
CVE-2025-5924
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-5322 - Vikrentcar Plugin
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
PLUGIN
Vikrentcar
CVE-2025-5322
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-5961 - Migration Backup Staging Plugin
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents…
PLUGIN
Migration Backup Staging
CVE-2025-5961
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-2932 - Jkdevkit Plugin
The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above.
PLUGIN
Jkdevkit
CVE-2025-2932
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-2537 - Youtube Video Player Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Youtube Video Player
CVE-2025-2537
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-2540 - Woo 3d Viewer Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woo 3d Viewer
CVE-2025-2540
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-5647 - Bold Page Builder Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
PLUGIN
Bold Page Builder
CVE-2024-5647
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-9017 - Groups Plugin
The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to, and including, 6.4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Groups
CVE-2024-9017
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-5944 - Element Pack Plugin
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Pack
CVE-2025-5944
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-2330 - All In One Addons For Elementor Plugin
The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
All In One Addons For Elementor
CVE-2025-2330
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-6464 - Forminator Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is…
PLUGIN
Forminator
CVE-2025-6464
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2024-13451 - Bit Form Plugin
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5.
PLUGIN
Bit Form
CVE-2024-13451
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-6463 - Forminator Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is…
PLUGIN
Forminator
CVE-2025-6463
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6687 - Magic Buttons For Elementor Plugin
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Magic Buttons For Elementor
CVE-2025-6687
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6686 - Magic Buttons For Elementor Plugin
The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Magic Buttons For Elementor
CVE-2025-6686
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6459 - Ads Pro Plugin
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ads Pro
CVE-2025-6459
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-5746 - Woocommerce Plugin
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in…
PLUGIN
Woocommerce
CVE-2025-5746
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6437 - Ads Pro Plugin
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Ads Pro
CVE-2025-6437
Risk Score