Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-06
CVE-2025-12384 - And Other Files Plugin
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to unauthorized access/modification/loss of data in all versions up to, and including, 2.0.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "bplde_save_document_library", "bplde_get_all", "bplde_get_single", and "bplde_delete_document_library" functions. This makes it possible for unauthenticated attackers to create, read, update, and delete arbitrary document_library posts.
PLUGIN
And Other Files
CVE-2025-12384
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-12139 - Integrate Google Drive Plugin
The File Manager for Google Drive – Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the "get_localize_data" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses.
PLUGIN
Integrate Google Drive
CVE-2025-12139
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-12197 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
The Events Calendar
CVE-2025-12197
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11890 - Crypto Payment Gateway With Payeer For Woocommerce Plugin
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue.
PLUGIN
Crypto Payment Gateway With Payeer For Woocommerce
CVE-2025-11890
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11733 - Footnotes Made Easy Plugin
The Footnotes Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Footnotes Made Easy
CVE-2025-11733
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11724 - Em Beer Manager Plugin
The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and missing authorization checks on the wp_ajax_embm-untappd-import action. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files including PHP files and execute code on the server granted they can provide a mock HTTP server that responds with specific JSON data.
PLUGIN
Em Beer Manager
CVE-2025-11724
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11704 - Elegance Menu Plugin
The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Elegance Menu
CVE-2025-11704
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-10896 - Image Hover Effects Elementor Addon Plugin
Multiple plugins for WordPress with the Jewel Theme Recommended Plugins Library are vulnerable to Unrestricted Upload of File with Dangerous Type via arbitrary plugin installation in all versions up to, and including, 1.0.2.3. This is due to missing capability checks on the '*_recommended_upgrade_plugin' function which allows arbitrary plugin URLs to be installed. This makes it possible for authenticated attackers with subscriber-level access and above to upload arbitrary plugin packages to the affected site's server via a crafted plugin URL, which may make remote code execution possible.
PLUGIN
Image Hover Effects Elementor Addon
CVE-2025-10896
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-6990 - Kallyas Theme
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
THEME
Kallyas
CVE-2025-6990
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12171 - Restful Content Syndication Plugin
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This requires the attacker have access to a defined third-party server as specified in the settings, so it is unlikely that this will be exploitable by contributor-level users, and more likely to be exploited…
PLUGIN
Restful Content Syndication
CVE-2025-12171
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11755 - Delicious Recipes Plugin
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to upload a malicious PHP file by providing a remote URL during a recipe import process, leading to Remote Code Execution (RCE).
PLUGIN
Delicious Recipes
CVE-2025-11755
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-6574 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Service Finder Bookings
CVE-2025-6574
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-10487 - Adsense Plugin
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be called to safe functions. This makes it possible for unauthenticated attackers to call arbitrary functions beginning with get_the_ like get_the_excerpt which can make information exposure possible.
PLUGIN
Adsense
CVE-2025-10487
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-5949 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to processing a password change request. This makes it possible for authenticated attackers with subscriber access or higher to reset other users' passwords, including those of admins.
PLUGIN
Service Finder Bookings
CVE-2025-5949
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11995 - Community Events Plugin
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Community Events
CVE-2025-11995
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11920 - Wpcom Member Plugin
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Wpcom Member
CVE-2025-11920
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12115 - Wpc Name Your Price For Woocommerce Plugin
The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it possible for unauthenticated attackers to purchase products at prices less than they should be able to.
PLUGIN
Wpc Name Your Price For Woocommerce
CVE-2025-12115
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-10897 - Woocommerce Designer Pro Theme
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.
THEME
Woocommerce Designer Pro
CVE-2025-10897
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-7846 - Wordpress User Extra Fields Plugin
The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wordpress User Extra Fields
CVE-2025-7846
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-60075 - This Issue Affects Hpb Seo Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through
PLUGIN
This Issue Affects Hpb Seo
CVE-2025-60075
Risk Score