Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-21
CVE-2025-3278 - Urbango Membership Plugin
The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
PLUGIN
Urbango Membership
CVE-2025-3278
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-2010 - Career Page And Recruitment Plugin
The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Career Page And Recruitment
CVE-2025-2010
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3284 - And User Profile Plugin
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.3. This is due to missing or incorrect nonce validation on the user_registration_pro_delete_account() function. This makes it possible for unauthenticated attackers to force delete users, including administrators, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
And User Profile
CVE-2025-3284
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3106 - La Studio Element Kit For Elementor Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Table of Contents widget in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
La Studio Element Kit For Elementor
CVE-2025-3106
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3056 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Download Manager
CVE-2025-3056
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3598 - Woo Coupon Usage Plugin
The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woo Coupon Usage
CVE-2025-3598
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-2162 - Mappress Maps For Plugin
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Mappress Maps For
CVE-2025-2162
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3520 - Avatar Plugin
The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Avatar
CVE-2025-3520
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2024-13650 - Piotnet Addons For Elementor Plugin
The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'PAFE Before After Image Comparison Slider' widget in all versions up to, and including, 2.4.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Piotnet Addons For Elementor
CVE-2024-13650
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-2613 - Customized Login Plugin
The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Customized Login
CVE-2025-2613
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-39431 - Allows Stored Xss Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin allows Stored XSS. This issue affects Amazon Showcase WordPress Plugin: from n/a through 2.2.
PLUGIN
Allows Stored Xss
CVE-2025-39431
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3487 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forminator Forms
CVE-2025-3487
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3479 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
PLUGIN
Forminator Forms
CVE-2025-3479
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-3453 - Password Protected Plugin
The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
PLUGIN
Password Protected
CVE-2025-3453
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-3615 - Fluent Forms Plugin
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fluent Forms
CVE-2025-3615
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-3295 - Wp Editor Plugin
The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.
PLUGIN
Wp Editor
CVE-2025-3295
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13925 - Klarna Checkout For Woocommerce Plugin
The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.
PLUGIN
Klarna Checkout For Woocommerce
CVE-2024-13925
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-3294 - Wp Editor Plugin
The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.
PLUGIN
Wp Editor
CVE-2025-3294
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-1525 - Ultimate Dashboard Plugin
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ultimate Dashboard
CVE-2025-1525
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-1524 - Ultimate Dashboard Plugin
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ultimate Dashboard
CVE-2025-1524
Risk Score