Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-17
CVE-2025-9216 - More Plugin
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
More
CVE-2025-9216
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10058 - Ultimate Csv Xml Importer For Wordpress Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Ultimate Csv Xml Importer For Wordpress
CVE-2025-10058
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10057 - For Wordpress Is Vulnerable To Remote Code Execution In All Versions Up To Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.
PLUGIN
For Wordpress Is Vulnerable To Remote Code Execution In All Versions Up To
CVE-2025-10057
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10143 - Catch Dark Mode Plugin
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Catch Dark Mode
CVE-2025-10143
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-10176 - Hackrepair Plugin Archiver
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Hackrepair Plugin Archiver
CVE-2025-10176
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-8575 - Lws Cleaner Plugin
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Lws Cleaner
CVE-2025-8575
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-10269 - Spirit Framework Plugin
The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Spirit Framework
CVE-2025-10269
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9807 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
The Events Calendar
CVE-2025-9807
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9018 - Time Tracker Plugin
The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
PLUGIN
Time Tracker
CVE-2025-9018
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9874 - Ultimate Classified Listings Plugin
The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Ultimate Classified Listings
CVE-2025-9874
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9693 - User Meta Plugin
The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
User Meta
CVE-2025-9693
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9073 - All In One Minifier Plugin
The All in one Minifier plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 3.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
All In One Minifier
CVE-2025-9073
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8425 - My Wp Translate Plugin
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
My Wp Translate
CVE-2025-8425
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8417 - Intelligent Importer Plugin
The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
PLUGIN
Intelligent Importer
CVE-2025-8417
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8422 - All In One Client Management System Plugin
The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
All In One Client Management System
CVE-2025-8422
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-7718 - Resideo Plugin For Resideo Real Estate Wordpress Theme
The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Resideo Plugin For Resideo Real Estate Wordpress Theme
CVE-2025-7718
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-7049 - Wpgym Wordpress Gym Management System Plugin
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
PLUGIN
Wpgym Wordpress Gym Management System
CVE-2025-7049
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10040 - Ultimate Csv Xml Importer For Wordpress Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve a configured set of SFTP/FTP credentials.
PLUGIN
Ultimate Csv Xml Importer For Wordpress
CVE-2025-10040
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10049 - Responsive Filterable Portfolio Plugin
The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Responsive Filterable Portfolio
CVE-2025-10049
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10001 - Csv Or Excel File To Wordpress Plugin
The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible.
PLUGIN
Csv Or Excel File To Wordpress
CVE-2025-10001
Risk Score