Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-14
CVE-2025-15266 - Geeky Bot Plugin
The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page.
PLUGIN
Geeky Bot
CVE-2025-15266
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14615 - Dashboard Builder Plugin
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on…
PLUGIN
Dashboard Builder
CVE-2025-14615
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15020 - Gotham Block Extra Light Plugin
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Gotham Block Extra Light
CVE-2025-15020
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14854 - Wp Crm System Plugin
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses.
PLUGIN
Wp Crm System
CVE-2025-14854
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14880 - Netcash Pay Now Payment Gateway For Woocommerce Plugin
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed.
PLUGIN
Netcash Pay Now Payment Gateway For Woocommerce
CVE-2025-14880
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15021 - Gotham Block Extra Light Plugin
The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Gotham Block Extra Light
CVE-2025-15021
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14725 - Internal Link Builder Plugin
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Internal Link Builder
CVE-2025-14725
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14502 - News And Blog Designer Bundle Plugin
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
News And Blog Designer Bundle
CVE-2025-14502
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14613 - Getcontentfromurl Plugin
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Getcontentfromurl
CVE-2025-14613
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14464 - Pdf Resume Parser Plugin
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.
PLUGIN
Pdf Resume Parser
CVE-2025-14464
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14379 - Testimonials Creator Plugin
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Testimonials Creator
CVE-2025-14379
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14482 - Crush Pics Plugin
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
PLUGIN
Crush Pics
CVE-2025-14482
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14389 - Wpblogsync Plugin
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wpblogsync
CVE-2025-14389
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14301 - Woosa Ai For Woocommerce Plugin
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validation. This makes it possible for unauthenticated attackers to delete or download arbitrary files on the server via the `wsaw-log[]` POST parameter, which can be leveraged to delete critical files like `wp-config.php` or read sensitive configuration files.
PLUGIN
Woosa Ai For Woocommerce
CVE-2025-14301
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-13627 - Makesweat Plugin
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Makesweat
CVE-2025-13627
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-12178 - Spiceforms Form Builder Plugin
The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spiceforms Form Builder
CVE-2025-12178
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-22718 - CLI VSCode Extension Plugin
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.
PLUGIN
CLI VSCode Extension
CVE-2026-22718
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-22686 - Enclave Plugin
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function…
PLUGIN
Enclave
CVE-2026-22686
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-0716 - Red Hat Enterprise Linux 10 Plugin
A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.
PLUGIN
Red Hat Enterprise Linux 10
CVE-2026-0716
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-23478 - cal.com Plugin
Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
PLUGIN
cal.com
CVE-2026-23478
Risk Score