Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-13493 - Latest Registered Users Plugin
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
PLUGIN
Latest Registered Users
CVE-2025-13493
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13371 - Money Space Plugin
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes…
PLUGIN
Money Space
CVE-2025-13371
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-29004 - WordPress Core
Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0.
CORE
WordPress Core
CVE-2025-29004
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0640 - AC23 Plugin
A weakness has been identified in Tenda AC23 16.03.07.52. This affects the function sscanf of the file /goform/PowerSaveSet. Executing a manipulation of the argument Time can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
PLUGIN
AC23
CVE-2026-0640
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21411 - OpenBlocks IDM RX1 (FW5.0.x) Plugin
Authentication bypass issue exists in OpenBlocks series versions prior to FW5.0.8, which may allow an attacker to bypass administrator authentication and change the password.
PLUGIN
OpenBlocks IDM RX1 (FW5.0.x)
CVE-2026-21411
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14997 - Bp Xprofile Custom Field Types Plugin
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Bp Xprofile Custom Field Types
CVE-2025-14997
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21677 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21677
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21676 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21676
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21485 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21485
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21486 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21486
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21673 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21673
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-15364 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
PLUGIN
Download Manager
CVE-2025-15364
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21507 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21507
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-0621 - MCP TypeScript SDK Plugin
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
PLUGIN
MCP TypeScript SDK
CVE-2026-0621
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-21633 - UniFi Protect Application Plugin
A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later.
PLUGIN
UniFi Protect Application
CVE-2026-21633
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14124 - Before 5 Plugin
The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
PLUGIN
Before 5
CVE-2025-14124
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-21452 - Msgpack Java Plugin
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trusts the declared EXT payload length when materializing the extension data. When ExtensionValue.getData() is invoked, the library attempts to allocate a byte array of the declared length without enforcing any upper bound. A malicious .msgpack file of only a few bytes can therefore trigger unbounded heap allocation, resulting in JVM heap exhaustion, process…
PLUGIN
Msgpack Java
CVE-2026-21452
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21449 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via first name and last name from a low-privilege user. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21449
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21450 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.
PLUGIN
Bagisto
CVE-2026-21450
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21448 - Bagisto Plugin
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection. When a normal customer orders any product, in the `add address` step they can inject a value to run in admin view. The issue can lead to remote code execution. Version 2.3.10 contains a patch.
PLUGIN
Bagisto
CVE-2026-21448
Risk Score