Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-20
CVE-2025-60075 - This Issue Affects Hpb Seo Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through
PLUGIN
This Issue Affects Hpb Seo
CVE-2025-60075
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11735 - Woocommerce Products Filter Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woocommerce Products Filter
CVE-2025-11735
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-9322 - Subscriptions Plugin
The Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress is vulnerable to SQL Injection via the 'wpfs-form-name' parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Subscriptions
CVE-2025-9322
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8416 - Woo Product Filter Plugin
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woo Product Filter
CVE-2025-8416
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-4203 - Wpforo Forum Plugin
The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x’s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored‐procedure call, enabling error‐based or time‐based blind SQL injection that can be used to extract sensitive…
PLUGIN
Wpforo Forum
CVE-2025-4203
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11893 - Charitable Plugin
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires…
PLUGIN
Charitable
CVE-2025-11893
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10488 - Ai Powered Business Directory Plugin With Classified Ads Listings
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Ai Powered Business Directory Plugin With Classified Ads Listings
CVE-2025-10488
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12095 - Simple Registration For Woocommerce Plugin
The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This makes it possible for unauthenticated attackers to approve pending role requests and escalate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Registration For Woocommerce
CVE-2025-12095
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11238 - Watu Quiz Plugin
The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP Referer header in versions less than, or equal to, 3.4.4 due to insufficient input sanitization and output escaping when the "Save source URL" option is enabled. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an user accesses an injected page.
PLUGIN
Watu Quiz
CVE-2025-11238
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10861 - And Woocommerce Triggers Plugin
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
PLUGIN
And Woocommerce Triggers
CVE-2025-10861
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12028 - Indieauth Plugin
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen…
PLUGIN
Indieauth
CVE-2025-12028
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11889 - All In One Forms Plugin
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
All In One Forms
CVE-2025-11889
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11504 - Quickcreator Plugin
The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.
PLUGIN
Quickcreator
CVE-2025-11504
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-53422 - WooCommerce Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeWarriors WhatsApp Chat for WordPress and WooCommerce tw-whatsapp-chat-rotator allows Reflected XSS.This issue affects WhatsApp Chat for WordPress and WooCommerce: from n/a through
PLUGIN
WooCommerce
CVE-2025-53422
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-49953 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeinity ShareBang, Ultimate Social Share Buttons for WordPress sharebang allows Reflected XSS.This issue affects ShareBang, Ultimate Social Share Buttons for WordPress: from n/a through
CORE
WordPress Core
CVE-2025-49953
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11086 - Wordpress Lms Plugin For Complete Elearning Solution
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.
PLUGIN
Wordpress Lms Plugin For Complete Elearning Solution
CVE-2025-11086
Risk Score
Threat Entry
Updated 2025-10-21
CVE-2025-9890 - Theme Editor Plugin
The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. This is due to missing or incorrect nonce validation on the 'theme_editor_theme' page. This makes it possible for unauthenticated attackers to achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Theme Editor
CVE-2025-9890
Risk Score
Threat Entry
Updated 2025-10-21
CVE-2025-11691 - Woocommerce Product Addon Plugin
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.
PLUGIN
Woocommerce Product Addon
CVE-2025-11691
Risk Score
Threat Entry
Updated 2025-10-21
CVE-2025-11517 - Event Tickets And Registration Plugin
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target.
PLUGIN
Event Tickets And Registration
CVE-2025-11517
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10706 - Classified Pro Theme
The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.
THEME
Classified Pro
CVE-2025-10706
Risk Score