Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-30
CVE-2025-4944 - Lastudio Element Kit Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lastudio Element Kit
CVE-2025-4944
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5235 - Opensheetmusicdisplay Plugin
The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Opensheetmusicdisplay
CVE-2025-5235
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5142 - Simple Page Access Restriction Plugin
The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31. This is due to missing nonce validation and capability checks in the settings save handler in the settings.php script. This makes it possible for unauthenticated attackers to (1) enable or disable access protection on all post types or taxonomies, (2) force every new page/post to be public or private, regardless of meta-box settings, (3) cause a silent wipe of all plugin data when it’s later removed, or (4)…
PLUGIN
Simple Page Access Restriction
CVE-2025-5142
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5236 - Chat For Telegram Plugin
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chat For Telegram
CVE-2025-5236
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-4431 - Featured Image Plus Plugin
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
PLUGIN
Featured Image Plus
CVE-2025-4431
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-4943 - Element Kit For Elementor Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Kit For Elementor
CVE-2025-4943
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-5259 - Minimal Share Buttons Plugin
The Minimal Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Minimal Share Buttons
CVE-2025-5259
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4429 - Gearside Developer Dashboard Plugin
The Gearside Developer Dashboard WordPress plugin through 1.0.72 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Gearside Developer Dashboard
CVE-2025-4429
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-4659 - Ninja Forms Plugin
The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ninja Forms
CVE-2025-4659
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-5286 - Bold Page Builder Plugin
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Page Builder
CVE-2025-5286
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-5122 - Map Block Leaflet Plugin
The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Map Block Leaflet
CVE-2025-5122
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4670 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Digital Downloads
CVE-2025-4670
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-4583 - Instagram Feed Plugin
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Instagram Feed
CVE-2025-4583
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4963 - Wpextended Plugin
The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wpextended
CVE-2025-4963
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5287 - Inprosysmedia Likes Dislikes Post Plugin
The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Inprosysmedia Likes Dislikes Post
CVE-2025-5287
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5082 - Wp Attachments Plugin
The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Attachments
CVE-2025-5082
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4800 - Masterstudy Lms Pro Plugin
The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.
PLUGIN
Masterstudy Lms Pro
CVE-2025-4800
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5117 - Property Plugin
The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form.
PLUGIN
Property
CVE-2025-5117
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-4683 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
PLUGIN
Mstore Api
CVE-2025-4683
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4682 - Essential Blocks Plugin
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML attributes in Slider and Post Carousel widgets in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Blocks
CVE-2025-4682
Risk Score