Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-12
CVE-2025-4783 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML attributes of the Countdown Timer Widget in all versions up to, and including, 2.7.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2025-4783
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4223 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts…
PLUGIN
Drag And Drop Website Builder
CVE-2025-4223
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-5058 - Emagicone Store Manager For Woocommerce Plugin
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
PLUGIN
Emagicone Store Manager For Woocommerce
CVE-2025-5058
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4603 - Emagicone Store Manager For Woocommerce Plugin
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to…
PLUGIN
Emagicone Store Manager For Woocommerce
CVE-2025-4603
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4602 - Emagicone Store Manager For Woocommerce Plugin
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
PLUGIN
Emagicone Store Manager For Woocommerce
CVE-2025-4602
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4336 - Emagicone Store Manager For Woocommerce Plugin
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
PLUGIN
Emagicone Store Manager For Woocommerce
CVE-2025-4336
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5055 - Smart Forms Plugin
The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Smart Forms
CVE-2025-5055
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-13427 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 1.9.9 and completely fixed in version 2.0.1.
PLUGIN
Drag And Drop Website Builder
CVE-2024-13427
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3869 - 4stats Plugin
The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
4stats
CVE-2025-3869
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-47658 - Wsdesk Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server. This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through 3.2.7.
PLUGIN
Wsdesk
CVE-2025-47658
Risk Score
Threat Entry
Updated 2026-01-28
CVE-2025-39485 - Grand Tour Plugin
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.
PLUGIN
Grand Tour
CVE-2025-39485
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-1123 - Smtp Email And Logging Made By Solidwp Plugin
The Solid Mail – SMTP email and logging made by SolidWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email Name, Subject, and Body in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smtp Email And Logging Made By Solidwp
CVE-2025-1123
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-5096 - Tablepress Plugin
The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tablepress
CVE-2025-5096
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4594 - Tournamatch Plugin
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tournamatch
CVE-2025-4594
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4405 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hot Random Image
CVE-2025-4405
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4419 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
PLUGIN
Hot Random Image
CVE-2025-4419
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-9544 - Mapsvg Plugin
The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Mapsvg
CVE-2024-9544
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4133 - Before 8 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.
PLUGIN
Before 8
CVE-2025-4133
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2025-5062 - Woocommerce Plugin
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce
CVE-2025-5062
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4803 - Best Glossary Plugin
The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present…
PLUGIN
Best Glossary
CVE-2025-4803
Risk Score