Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-22
CVE-2025-6222 - Manage User Wallet Theme
The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ced_rnx_order_exchange_attach_files' function in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Manage User Wallet
CVE-2025-6222
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-7712 - Madara Core Plugin
The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wp_manga_delete_zip() function in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Madara Core
CVE-2025-7712
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-5396 - Bears Backup Plugin
The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to…
PLUGIN
Bears Backup
CVE-2025-5396
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-24759 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3.
CORE
WordPress Core
CVE-2025-24759
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-7360 - Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Plugin
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks
CVE-2025-7360
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-7341 - Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Plugin
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks
CVE-2025-7341
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-7340 - Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Plugin
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks
CVE-2025-7340
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5394 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5394
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5393 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5393
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-6058 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-6058
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5392 - Gb Forms Db Plugin
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
PLUGIN
Gb Forms Db
CVE-2025-5392
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-7401 - Restriction For Wordpress Plugin
The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
PLUGIN
Restriction For Wordpress
CVE-2025-7401
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4606 - Saas Wordpress Theme
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
THEME
Saas Wordpress Theme
CVE-2025-4606
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-34077 - Pie Register Plugin
An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
PLUGIN
Pie Register
CVE-2025-34077
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-4855 - Support Board Plugin
The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
PLUGIN
Support Board
CVE-2025-4855
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-4828 - Support Board Plugin
The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.
PLUGIN
Support Board
CVE-2025-4828
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-13786 - Education Theme
The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may…
THEME
Education
CVE-2024-13786
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-5746 - Woocommerce Plugin
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in…
PLUGIN
Woocommerce
CVE-2025-5746
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-4689 - Ads Pro Plugin
The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code…
PLUGIN
Ads Pro
CVE-2025-4689
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-6934 - Opal Estate Pro Plugin
The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.
PLUGIN
Opal Estate Pro
CVE-2025-6934
Risk Score