Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-21
CVE-2025-4611 - Automated Wordpress Seo Plugin
The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Automated Wordpress Seo
CVE-2025-4611
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4221 - Animated Buttons Plugin
The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Animated Buttons
CVE-2025-4221
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4219 - Dpepress Plugin
The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dpepress
CVE-2025-4219
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4217 - Wp Youtube Video Optimizer Plugin
The WP YouTube Video Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ib_youtube' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Youtube Video Optimizer
CVE-2025-4217
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4105 - Splitit Installment Payments Plugin
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
PLUGIN
Splitit Installment Payments
CVE-2025-4105
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3781 - Raisely Donation Form Plugin
The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Raisely Donation Form
CVE-2025-3781
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3750 - Network Posts Extended Plugin
The Network Posts Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_height’ parameter in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Network Posts Extended
CVE-2025-3750
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-12561 - Affiliate Sales In Google Analytics And Other Tools Plugin
The Affiliate Sales in Google Analytics and other tools plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.4.9. This is due to insufficient validation on the redirect url supplied via the 'afflink' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Affiliate Sales In Google Analytics And Other Tools
CVE-2024-12561
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4094 - Wordpress Mobile Number Signup And Login Plugin
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.
PLUGIN
Wordpress Mobile Number Signup And Login
CVE-2025-4094
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-5878 - Nextgen Gallery Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nextgen Gallery
CVE-2024-5878
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2929 - Order Delivery Date Plugin
The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Order Delivery Date
CVE-2025-2929
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39352 - Grand Restaurant Plugin
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39352
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-39348 - Grand Restaurant Plugin
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39348
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-32926 - Grand Restaurant Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant WordPress allows Path Traversal.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-32926
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-39411 - Plugins Whatsapp Click To Chat
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Indie_Plugins WhatsApp Click to Chat Plugin for WordPress.This issue affects WhatsApp Click to Chat Plugin for WordPress: from n/a through 2.2.12.
PLUGIN
Plugins Whatsapp Click To Chat
CVE-2025-39411
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39353 - Grand Restaurant Plugin
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39353
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39351 - Grand Restaurant Plugin
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Restaurant WordPress allows Cross Site Request Forgery.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39351
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2561 - Ninja Forms Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ninja Forms
CVE-2025-2561
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2560 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-2560
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-2524 - Ninja Forms Plugin
The Ninja Forms WordPress plugin before 3.10.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ninja Forms
CVE-2025-2524
Risk Score