Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-19
CVE-2025-14427 - And Prevents Security Breaches Plugin
The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disable the global Email 2FA setting for the entire site.
PLUGIN
And Prevents Security Breaches
CVE-2025-14427
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-14076 - Google Xml Sitemap Generator Plugin
The iXML – Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Google Xml Sitemap Generator
CVE-2025-14076
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-14294 - Woo Razorpay Plugin
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
PLUGIN
Woo Razorpay
CVE-2025-14294
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-14342 - Squirrly Seo Plugin
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from Squirrly's cloud service.
PLUGIN
Squirrly Seo
CVE-2025-14342
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-14167 - Remove Post Type Slug Plugin
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request granted they can trick a site administrator into…
PLUGIN
Remove Post Type Slug
CVE-2025-14167
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-14270 - Security Plugin
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
PLUGIN
Security
CVE-2025-14270
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13851 - Buyent Classified Plugin
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
PLUGIN
Buyent Classified
CVE-2025-13851
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13738 - Easy Table Of Contents Plugin
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Table Of Contents
CVE-2025-13738
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13930 - Woocommerce Checkout Manager Plugin
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
PLUGIN
Woocommerce Checkout Manager
CVE-2025-13930
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13864 - Breeze Wordpress Cache Plugin
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request, granted the administrator has enabled the API integration feature.
PLUGIN
Breeze Wordpress Cache
CVE-2025-13864
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13842 - Breadcrumb Navxt Plugin
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.
PLUGIN
Breadcrumb Navxt
CVE-2025-13842
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13603 - Wp Audio Gallery Plugin
The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce verification on the "wpag_htaccess_callback" function This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the site's .htaccess file with arbitrary content, which can lead to arbitrary file read on the server under certain configurations.
PLUGIN
Wp Audio Gallery
CVE-2025-13603
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13732 - Member Access Subscriptions Plugin
The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Member Access Subscriptions
CVE-2025-13732
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13617 - Apollo13 Framework Extensions Plugin
The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘a13_alt_link’ parameter in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Apollo13 Framework Extensions
CVE-2025-13617
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13612 - Album And Image Gallery Plus Lightbox Plugin
The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Album And Image Gallery Plus Lightbox
CVE-2025-13612
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13587 - Two Factor 2fa Via Email Plugin
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makes it possible to bypass two-factor authentication by supplying any value in the 'token' parameter during login, including an empty one.
PLUGIN
Two Factor 2fa Via Email
CVE-2025-13587
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13563 - Lizza Lms Pro Plugin
The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
PLUGIN
Lizza Lms Pro
CVE-2025-13563
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13113 - Web Accessibility By Accessibe Plugin
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
PLUGIN
Web Accessibility By Accessibe
CVE-2025-13113
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13438 - Page Title Description Open Graph Updater Plugin
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. This makes it possible for unauthenticated attackers to update page titles and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Page Title Description Open Graph Updater
CVE-2025-13438
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13413 - Country Blocker For Adsense Plugin
The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Country Blocker For Adsense
CVE-2025-13413
Risk Score