Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-06
CVE-2025-5699 - Developer Formatter Plugin
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Developer Formatter
CVE-2025-5699
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5563 - Wp Addpub Plugin
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Addpub
CVE-2025-5563
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5586 - Cpt Ajax Load More Plugin
The WordPress Ajax Load More and Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cpt Ajax Load More
CVE-2025-5586
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5565 - Hide It Plugin
The Hide It plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hide It
CVE-2025-5565
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5541 - Runners Log Plugin
The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Runners Log
CVE-2025-5541
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5538 - Bns Featured Category Plugin
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bns Featured Category
CVE-2025-5538
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5486 - Wp Email Debug Plugin
The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possible for unauthenticated attackers to enable debugging and send all emails to an attacker controlled address and then trigger a password reset for an administrator to gain access to an administrator account.
PLUGIN
Wp Email Debug
CVE-2025-5486
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5536 - Wp Freemind Plugin
The Freemind Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'freemind' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Freemind
CVE-2025-5536
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5534 - Esv Bible Shortcode For Wordpress Plugin
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Esv Bible Shortcode For Wordpress
CVE-2025-5534
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5533 - Knowledge Base Plugin
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kbalert' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Knowledge Base
CVE-2025-5533
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5019 - Hive Support Plugin
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as…
PLUGIN
Hive Support
CVE-2025-5019
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5018 - Hive Support Plugin
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.
PLUGIN
Hive Support
CVE-2025-5018
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4966 - Wp Online Users Stats Plugin
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Online Users Stats
CVE-2025-4966
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4964 - Wp Online Users Stats Plugin
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Online Users Stats
CVE-2025-4964
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-2935 - Stop Spammer Registrations Plugin
The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Stop Spammer Registrations
CVE-2025-2935
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-1777 - Bm Content Builder Plugin
The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bm Content Builder
CVE-2025-1777
Risk Score
Threat Entry
Updated 2025-06-10
CVE-2023-2921 - Short Url Plugin
The Short URL WordPress plugin through 1.6.8 does not properly sanitise and escape a parameter before using it in SQL statement, leading to a SQL injection exploitable by users with relatively low privilege on the site, like subscribers.
PLUGIN
Short Url
CVE-2023-2921
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2025-5733 - Modern Events Calendar Lite Plugin
The Modern Events Calendar Lite plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 7.21.9. This is due improper or insufficient validation of the id property when exporting calendars. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Modern Events Calendar Lite
CVE-2025-5733
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-5701 - Hypercomments Plugin
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Hypercomments
CVE-2025-5701
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-5341 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forminator Forms
CVE-2025-5341
Risk Score