Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-09
CVE-2025-15100 - Jay Login Register Plugin
The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Jay Login Register
CVE-2025-15100
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1294 - Image Viewer Plugin
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Image Viewer
CVE-2026-1294
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2025-13192 - Popup Builder Block Plugin
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users,…
PLUGIN
Popup Builder Block
CVE-2025-13192
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15368 - Sportspress Plugin
The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Sportspress
CVE-2025-15368
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15285 - Lupsonline Link Netwerk Plugin
The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.
PLUGIN
Lupsonline Link Netwerk
CVE-2025-15285
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15268 - Infility Global Plugin
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Infility Global
CVE-2025-15268
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1756 - Wp Foft Loader Plugin
The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wp Foft Loader
CVE-2026-1756
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2026-25027 - Unicamp Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through
PLUGIN
Unicamp
CVE-2026-25027
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-25022 - KiviCare Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection.This issue affects KiviCare: from n/a through
PLUGIN
KiviCare
CVE-2026-25022
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24954 - WpEvently Plugin
Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through
PLUGIN
WpEvently
CVE-2026-24954
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1730 - Os Datahub Maps Plugin
The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Os Datahub Maps
CVE-2026-1730
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1375 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
PLUGIN
Elearning And Online Course Solution
CVE-2026-1375
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1065 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
PLUGIN
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE-2026-1065
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0617 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2026-0617
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1058 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions…
PLUGIN
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE-2026-1058
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2025-15396 - Library Viewer Plugin
The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Library Viewer
CVE-2025-15396
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2025-14554 - Sell Btc By Hayyatapps Plugin
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
PLUGIN
Sell Btc By Hayyatapps
CVE-2025-14554
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-24054 - Snapshots Plugin
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host…
PLUGIN
Snapshots
CVE-2026-24054
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14975 - Custom Login Page Customizer Plugin
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
PLUGIN
Custom Login Page Customizer
CVE-2025-14975
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0844 - Simple User Registration Plugin
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
PLUGIN
Simple User Registration
CVE-2026-0844
Risk Score