Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-08
CVE-2025-5927 - Everest Forms Plugin
The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone.
PLUGIN
Everest Forms
CVE-2025-5927
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-6206 - Aiomatic Plugin
The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The…
PLUGIN
Aiomatic
CVE-2025-6206
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-5034 - Wp File Download Plugin
The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Wp File Download
CVE-2025-5034
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4102 - Beaver Builder Plugin
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
PLUGIN
Beaver Builder
CVE-2025-4102
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-5071 - Ai Engine Plugin
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.
PLUGIN
Ai Engine
CVE-2025-5071
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-6220 - Ultimate Addons For Contact Form 7 Plugin
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Ultimate Addons For Contact Form 7
CVE-2025-6220
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2025-6086 - Csv Me Plugin
The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Csv Me
CVE-2025-6086
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2025-4413 - Pixabay Images Plugin
The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Pixabay Images
CVE-2025-4413
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2025-49312 - This Issue Affects Echo Rss Feed Post Generator Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1.
PLUGIN
This Issue Affects Echo Rss Feed Post Generator
CVE-2025-49312
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2025-48333 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a.
CORE
WordPress Core
CVE-2025-48333
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-3515 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.3.8.9. This makes it possible for unauthenticated attackers to bypass the plugin's blacklist and upload .phar or other dangerous file types on the affected site's server, which may make remote code execution possible on the servers that are configured to handle .phar files as executable PHP scripts, particularly in default Apache+mod_php configurations where the file extension is…
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2025-3515
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2025-3774 - Wise Chat Plugin
The Wise Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wise Chat
CVE-2025-3774
Risk Score
Threat Entry
Updated 2025-06-16
CVE-2025-4200 - Accessories Woocommerce Wordpress Theme
The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other…
THEME
Accessories Woocommerce Wordpress Theme
CVE-2025-4200
Risk Score
Threat Entry
Updated 2025-06-16
CVE-2025-5487 - Custom Integrations In Wordpress Plugin
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the…
PLUGIN
Custom Integrations In Wordpress
CVE-2025-5487
Risk Score
Threat Entry
Updated 2025-06-16
CVE-2025-3234 - Filester Plugin
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
PLUGIN
Filester
CVE-2025-3234
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-5282 - Wp Travel Engine Plugin
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function in all versions up to, and including, 6.5.1. This makes it possible for unauthenticated attackers to delete arbitrary posts.
PLUGIN
Wp Travel Engine
CVE-2025-5282
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-5012 - Workreap Plugin
The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_upload_to_media' function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Workreap
CVE-2025-5012
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-3302 - Ai Powered Seo Plugin
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTP_REFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.1.0.0.
PLUGIN
Ai Powered Seo
CVE-2025-3302
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4315 - Cubewp Plugin
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to update arbitrary user meta through the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Cubewp
CVE-2025-4315
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-5395 - Wordpress Automatic Plugin
The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wordpress Automatic
CVE-2025-5395
Risk Score