Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-19
CVE-2025-10690 - Goza Nonprofit Charity Wordpress Theme
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
THEME
Goza Nonprofit Charity Wordpress Theme
CVE-2025-10690
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-9083 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Before 3
CVE-2025-9083
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-8942 - Wp Hotel Booking Plugin
The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipulate the rating value (e.g., sending negative or out-of-range values) by intercepting and modifying requests.
PLUGIN
Wp Hotel Booking
CVE-2025-8942
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-5305 - Password Reset With Code For Wordpress Rest Api Plugin
The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to generate OTP codes, potentially leading to account takeovers.
PLUGIN
Password Reset With Code For Wordpress Rest Api
CVE-2025-5305
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8570 - Beyondcart Plugin
The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 2.1.0. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity.
PLUGIN
Beyondcart
CVE-2025-8570
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-10134 - Goza Nonprofit Charity Wordpress Theme
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
THEME
Goza Nonprofit Charity Wordpress Theme
CVE-2025-10134
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9114 - Doccure Theme
The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.4.8. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
THEME
Doccure
CVE-2025-9114
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9113 - Doccure Theme
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Doccure
CVE-2025-9113
Risk Score
Threat Entry
Updated 2025-09-08
CVE-2025-8359 - Adforest Theme
The AdForest theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 6.0.9. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, including administrators, without access to a password.
THEME
Adforest
CVE-2025-8359
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-7955 - Rccp Free Plugin
The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes.
PLUGIN
Rccp Free
CVE-2025-7955
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-5821 - Case Theme User Plugin
The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email.
PLUGIN
Case Theme User
CVE-2025-5821
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7642 - Simpler Checkout Plugin
The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.
PLUGIN
Simpler Checkout
CVE-2025-7642
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-8895 - Wp Webhooks Plugin
The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.
PLUGIN
Wp Webhooks
CVE-2025-8895
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-54677 - Online Booking Scheduling Calendar Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3.
PLUGIN
Online Booking Scheduling Calendar
CVE-2025-54677
Risk Score
Threat Entry
Updated 2025-08-19
CVE-2025-8723 - Cf Image Resizing Plugin
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution.
PLUGIN
Cf Image Resizing
CVE-2025-8723
Risk Score
Threat Entry
Updated 2025-08-19
CVE-2025-6758 - Real Spaces Wordpress Properties Directory Theme
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration.
THEME
Real Spaces Wordpress Properties Directory Theme
CVE-2025-6758
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2025-8898 - Ecab Taxi Booking Manager Plugin
The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Ecab Taxi Booking Manager
CVE-2025-8898
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2025-7441 - Story Chief Plugin
The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Story Chief
CVE-2025-7441
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7778 - Icons Factory Plugin
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Icons Factory
CVE-2025-7778
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-6679 - Bit Form Plugin
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
PLUGIN
Bit Form
CVE-2025-6679
Risk Score