Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-11
CVE-2025-48101 - WordPress Core
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
CORE
WordPress Core
CVE-2025-48101
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9539 - Custom Integrations In Wordpress Plugin
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privilege escalation once such automation is activated by the administrator
PLUGIN
Custom Integrations In Wordpress
CVE-2025-9539
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9112 - Doccure Theme
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Doccure
CVE-2025-9112
Risk Score
Threat Entry
Updated 2026-02-09
CVE-2025-8085 - Before 3 Plugin
The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
PLUGIN
Before 3
CVE-2025-8085
Risk Score
Threat Entry
Updated 2025-09-08
CVE-2025-7040 - Cloud Sso Single Sign On Plugin
The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'set_organization_settings' action of the csso_handle_actions() function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters for organization settings and passes them directly to update_option() without any check of the user’s capabilities or a CSRF nonce. This makes it possible for unauthenticated attackers to change critical configuration (including toggling signing and encryption), potentially breaking the SSO flow and causing a denial-of-service.
PLUGIN
Cloud Sso Single Sign On
CVE-2025-7040
Risk Score
Threat Entry
Updated 2025-09-08
CVE-2025-9515 - Multi Step Form Plugin
The Multi Step Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the import functionality in all versions up to, and including, 1.7.25. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Multi Step Form
CVE-2025-9515
Risk Score
Threat Entry
Updated 2025-09-08
CVE-2025-7366 - Multi Vendor Marketplace Wordpress Theme
The The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 19.9.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
Multi Vendor Marketplace Wordpress Theme
CVE-2025-7366
Risk Score
Threat Entry
Updated 2025-09-05
CVE-2025-58855 - Allows Reflected Xss Plugin
Improper Neutralization of Formula Elements in a CSV File vulnerability in Denis V (Artprima) AP HoneyPot WordPress Plugin allows Reflected XSS. This issue affects AP HoneyPot WordPress Plugin: from n/a through 1.4.
PLUGIN
Allows Reflected Xss
CVE-2025-58855
Risk Score
Threat Entry
Updated 2025-09-05
CVE-2025-58846 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule allows Reflected XSS. This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through 2020.1.0.
CORE
WordPress Core
CVE-2025-58846
Risk Score
Threat Entry
Updated 2025-09-05
CVE-2025-58806 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in imjoehaines WordPress Error Monitoring by Bugsnag allows Stored XSS. This issue affects WordPress Error Monitoring by Bugsnag: from n/a through 1.6.3.
CORE
WordPress Core
CVE-2025-58806
Risk Score
Threat Entry
Updated 2025-09-05
CVE-2025-9990 - Wp Helpdesk Integration Plugin
The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Wp Helpdesk Integration
CVE-2025-9990
Risk Score
Threat Entry
Updated 2025-09-04
CVE-2025-9519 - Easy Timer Plugin
The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and above, to execute code on the server.
PLUGIN
Easy Timer
CVE-2025-9519
Risk Score
Threat Entry
Updated 2025-09-04
CVE-2025-9518 - Atec Debug Plugin
The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Atec Debug
CVE-2025-9518
Risk Score
Threat Entry
Updated 2025-09-04
CVE-2025-9517 - Atec Debug Plugin
The atec Debug plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This is due to insufficient sanitization when saving the custom log path. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
PLUGIN
Atec Debug
CVE-2025-9517
Risk Score
Threat Entry
Updated 2025-12-22
CVE-2025-6085 - Make Connector Plugin
The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Make Connector
CVE-2025-6085
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2024-13342 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present.
PLUGIN
Booster For Woocommerce
CVE-2024-13342
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-53243 - Team Directory Plugin
Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress allows Object Injection. This issue affects Employee Directory – Staff Listing & Team Directory Plugin for WordPress: from n/a through 4.5.3.
PLUGIN
Team Directory
CVE-2025-53243
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-48353 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in dactum Clickbank WordPress Plugin (Niche Storefront) allows Stored XSS. This issue affects Clickbank WordPress Plugin (Niche Storefront): from n/a through 1.3.5.
CORE
WordPress Core
CVE-2025-48353
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13807 - Xagio Seo Plugin
The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files.
PLUGIN
Xagio Seo
CVE-2024-13807
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2025-7812 - Turnkey Video Site Builder Script Plugin
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Turnkey Video Site Builder Script
CVE-2025-7812
Risk Score