Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-13
CVE-2025-13893 - Lesson Plan Book Plugin
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Lesson Plan Book
CVE-2025-13893
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13892 - Mg Advancedoptions Plugin
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mg Advancedoptions
CVE-2025-13892
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13852 - Debtcom Business In A Box Plugin
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Debtcom Business In A Box
CVE-2025-13852
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13704 - Autogen Headers Menu Plugin
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Autogen Headers Menu
CVE-2025-13704
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13701 - Shabat Keeper Plugin
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Shabat Keeper
CVE-2025-13701
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13717 - Contact Form Vcard Generator Plugin
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
PLUGIN
Contact Form Vcard Generator
CVE-2025-13717
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-11453 - Header And Footer Scripts Plugin
The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Header And Footer Scripts
CVE-2025-11453
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22080 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22080
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22079 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the plaintext transmission of login credentials during the initial login or post-factory reset setup through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the credentials transmitted in plaintext. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22079
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13900 - Wp Popup Magic Plugin
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Popup Magic
CVE-2025-13900
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13853 - Nearby Now Reviews Plugin
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nearby Now Reviews
CVE-2025-13853
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13729 - Entry Views Plugin
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Entry Views
CVE-2025-13729
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13895 - Top Position Google Finance Plugin
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Top Position Google Finance
CVE-2025-13895
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0627 - AMP for WP – Accelerated Mobile Pages Plugin
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
PLUGIN
AMP for WP – Accelerated Mobile Pages
CVE-2026-0627
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-21409 - RICOH Streamline NX Plugin
Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (OpenID Connect) tokens may be retrieved.
PLUGIN
RICOH Streamline NX
CVE-2026-21409
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14741 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
PLUGIN
Acf Frontend Form Element
CVE-2025-14741
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14937 - Frontend Admin By Dynamiapps Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Frontend Admin By Dynamiapps
CVE-2025-14937
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14657 - Event Tickets And Registrations Plugin
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
PLUGIN
Event Tickets And Registrations
CVE-2025-14657
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14146 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.
PLUGIN
Booking Calendar
CVE-2025-14146
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13935 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
PLUGIN
Elearning And Online Course Solution
CVE-2025-13935
Risk Score