Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-15
CVE-2025-7778 - Icons Factory Plugin
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Icons Factory
CVE-2025-7778
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-6679 - Bit Form Plugin
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
PLUGIN
Bit Form
CVE-2025-6679
Risk Score
Threat Entry
Updated 2025-08-14
CVE-2025-8047 - WordPress Core
The disable-right-click-powered-by-pixterme through v1.2 and pixter-image-digital-license thtough v1.0 WordPress plugins load a JavaScript file which has been compromised from an apparent abandoned S3 bucket. It can be used as a backdoor by those who control it, but it currently displays an alert marketing security services. Users that pay are added to allowedDomains to suppress the popup.
CORE
WordPress Core
CVE-2025-8047
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-6715 - Before 5 Plugin
The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Before 5
CVE-2025-6715
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-7384 - Contact Form Entries Plugin
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.
PLUGIN
Contact Form Entries
CVE-2025-7384
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8059 - B Blocks Plugin
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role.
PLUGIN
B Blocks
CVE-2025-8059
Risk Score
Threat Entry
Updated 2025-08-06
CVE-2025-6994 - WordPress Core
The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
CORE
WordPress Core
CVE-2025-6994
Risk Score
Threat Entry
Updated 2025-08-04
CVE-2025-7710 - WordPress Core
The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators.
CORE
WordPress Core
CVE-2025-7710
Risk Score
Threat Entry
Updated 2025-10-23
CVE-2025-5947 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins.
PLUGIN
Service Finder Bookings
CVE-2025-5947
Risk Score
Threat Entry
Updated 2025-08-04
CVE-2025-5954 - Service Finder Sms System Plugin
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user.
PLUGIN
Service Finder Sms System
CVE-2025-5954
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-6895 - Melapress Login Security Plugin
The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.
PLUGIN
Melapress Login Security
CVE-2025-6895
Risk Score
Threat Entry
Updated 2025-07-25
CVE-2025-6441 - Webinar Ignition Plugin
The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.31. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumstances, issuing authorization cookies which can lead to authentication bypass.
PLUGIN
Webinar Ignition
CVE-2025-6441
Risk Score
Threat Entry
Updated 2025-07-25
CVE-2025-6380 - Onlyoffice Docs Plugin
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester’s identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user.
PLUGIN
Onlyoffice Docs
CVE-2025-6380
Risk Score
Threat Entry
Updated 2025-07-25
CVE-2025-7852 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin’s image‐upload handler calls move_uploaded_file() on client‐supplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-7852
Risk Score
Threat Entry
Updated 2025-07-25
CVE-2025-7437 - Ebook Store Plugin
The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Ebook Store
CVE-2025-7437
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-6187 - Bsecure Plugin
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
PLUGIN
Bsecure
CVE-2025-6187
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7697 - Integration For Contact Form 7 And Google Sheets Plugin
The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php…
PLUGIN
Integration For Contact Form 7 And Google Sheets
CVE-2025-7697
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7696 - Integration For Contact Form 7 And Pipedrive Plugin
The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file…
PLUGIN
Integration For Contact Form 7 And Pipedrive
CVE-2025-7696
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7444 - Loginpress Pro Plugin
The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.
PLUGIN
Loginpress Pro
CVE-2025-7444
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-7643 - Attachment Manager Plugin
The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Attachment Manager
CVE-2025-7643
Risk Score