Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-10
CVE-2025-3429 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3429
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-3428 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'coating_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3428
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-3427 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3427
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2004 - Simple Wp Events Plugin
The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Simple Wp Events
CVE-2025-2004
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13820 - Melhor Envio Cotacao Plugin
The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.9 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.
PLUGIN
Melhor Envio Cotacao
CVE-2024-13820
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-1264 - Broken Link Checker Seo Plugin
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to SQL Injection via the 'orderBy' parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Broken Link Checker Seo
CVE-2025-1264
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2941 - Drag And Drop Multiple File Upload For Woocommerce Plugin
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Drag And Drop Multiple File Upload For Woocommerce
CVE-2025-2941
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-0839 - Zoomsounds Plugin
The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zoomsounds
CVE-2025-0839
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2789 - Multivendorx Plugin
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
PLUGIN
Multivendorx
CVE-2025-2789
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-1233 - Lafka Plugin
The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site.
PLUGIN
Lafka
CVE-2025-1233
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-13776 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
PLUGIN
Zoomsounds
CVE-2024-13776
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2933 - Email Notifications For Updates Plugin
The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Email Notifications For Updates
CVE-2025-2933
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-0810 - Expand Maker Plugin
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Expand Maker
CVE-2025-0810
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2544 - Ai Content Pipelines Plugin
The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Ai Content Pipelines
CVE-2025-2544
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-13604 - Kb Support Plugin
The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
PLUGIN
Kb Support
CVE-2024-13604
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2889 - Link Library Plugin
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Link Library
CVE-2025-2889
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2025-32238 - Online Booking Scheduling Calendar Plugin
Generation of Error Message Containing Sensitive Information vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Retrieve Embedded Sensitive Data. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.2.
PLUGIN
Online Booking Scheduling Calendar
CVE-2025-32238
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2798 - Woffice Plugin
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
PLUGIN
Woffice
CVE-2025-2798
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-22282 - Allows Reflected Xss Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EPC ez Form Calculator - WordPress plugin allows Reflected XSS.This issue affects ez Form Calculator - WordPress plugin: from n/a through 2.14.1.2.
PLUGIN
Allows Reflected Xss
CVE-2025-22282
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-3105 - Vehica Core Plugin
The Vehica Core plugin for WordPress, used by the Vehica - Car Dealer & Listing WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 1.0.97. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator.
PLUGIN
Vehica Core
CVE-2025-3105
Risk Score