Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-02
CVE-2024-13430 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
PLUGIN
Pagelayer
CVE-2024-13430
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13838 - Uncanny Automator Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Uncanny Automator
CVE-2024-13838
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-12589 - Finale Plugin
The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the countdown timer in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Finale
CVE-2024-12589
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-13498 - Contact Forms And Much More Plugin
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.
PLUGIN
Contact Forms And Much More
CVE-2024-13498
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2077 - Simple Amazon Affiliate Plugin
The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Amazon Affiliate
CVE-2025-2077
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-2205 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Gdpr Cookie Compliance
CVE-2025-2205
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2078 - Blogbuzztime For Wp Plugin
The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Blogbuzztime For Wp
CVE-2025-2078
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2076 - Binlayerpress Plugin
The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Binlayerpress
CVE-2025-2076
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-1508 - Wp Crowdfunding Plugin
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
PLUGIN
Wp Crowdfunding
CVE-2025-1508
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1707 - Review Schema – Review & Structure Data Schema Plugin
The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Review Schema – Review & Structure Data Schema Plugin
CVE-2025-1707
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-28914 - wordpress login form to anywhere Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Sharma wordpress login form to anywhere allows Stored XSS. This issue affects wordpress login form to anywhere: from n/a through 0.2.
PLUGIN
wordpress login form to anywhere
CVE-2025-28914
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-28894 - Vulnerability In Frucomerci List Of Posts From Each Category Plugin
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
PLUGIN
Vulnerability In Frucomerci List Of Posts From Each Category
CVE-2025-28894
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13228 - Qubely Plugin
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.
PLUGIN
Qubely
CVE-2024-13228
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13864 - Countdown Timer Plugin
The Countdown Timer WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Countdown Timer
CVE-2024-13864
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13862 - S3bubble Amazon Web Services Oembed Media Streaming Support Plugin
The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
S3bubble Amazon Web Services Oembed Media Streaming Support
CVE-2024-13862
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13836 - Wp Login Control Plugin
The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Login Control
CVE-2024-13836
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13853 - Seo Tools Plugin
The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Seo Tools
CVE-2024-13853
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-0629 - Coronavirus Covid 19 Notice Message Plugin
The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Coronavirus Covid 19 Notice Message
CVE-2025-0629
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13574 - Xv Random Quotes Plugin
The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Xv Random Quotes
CVE-2024-13574
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13580 - Xv Random Quotes Plugin
The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack
PLUGIN
Xv Random Quotes
CVE-2024-13580
Risk Score