Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-16
CVE-2025-4169 - Unmaintained Plugin
The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unmaintained
CVE-2025-4169
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2248 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Wp Pmanager
CVE-2025-2248
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2203 - Before 3 Plugin
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-2203
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2247 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Pmanager
CVE-2025-2247
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-1303 - Plugin Oficial
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Plugin Oficial
CVE-2025-1303
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1288 - Wooexim Plugin
The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.
PLUGIN
Wooexim
CVE-2025-1288
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1286 - Download Html Tinymce Button Plugin
The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Download Html Tinymce Button
CVE-2025-1286
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1454 - Ninja Pages Plugin
The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ninja Pages
CVE-2025-1454
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-1289 - Plugin Oficial
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Plugin Oficial
CVE-2025-1289
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1033 - Badgearoo Plugin
The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Badgearoo
CVE-2025-1033
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9831 - Before 3 Plugin
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2024-9831
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9765 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
PLUGIN
Ekc Tournament Manager
CVE-2024-9765
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0688 - Spiritual Gifts Survey And Optional S H A P E Survey Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Spiritual Gifts Survey And Optional S H A P E Survey
CVE-2025-0688
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0687 - Spiritual Gifts Survey And Optional S H A P E Survey Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Spiritual Gifts Survey And Optional S H A P E Survey
CVE-2025-0687
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9879 - Melapress File Monitor Plugin
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Melapress File Monitor
CVE-2024-9879
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9838 - Auto Affiliate Links Plugin
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Auto Affiliate Links
CVE-2024-9838
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9711 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Ekc Tournament Manager
CVE-2024-9711
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9709 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Ekc Tournament Manager
CVE-2024-9709
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9663 - Before 2 Plugin
The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 2
CVE-2024-9663
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-0329 - Ai Chatbot For Wordpress Plugin
The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ai Chatbot For Wordpress
CVE-2025-0329
Risk Score