Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-19
CVE-2025-3812 - Wpbot Pro Wordpress Chatbot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wpbot Pro Wordpress Chatbot
CVE-2025-3812
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4190 - Csv Mass Importer Plugin
The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Csv Mass Importer
CVE-2025-4190
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-32306 - Allows Blind Sql Injection Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Radio Player Shoutcast & Icecast WordPress Plugin allows Blind SQL Injection. This issue affects Radio Player Shoutcast & Icecast WordPress Plugin: from n/a through 4.4.6.
PLUGIN
Allows Blind Sql Injection
CVE-2025-32306
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31922 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Stored XSS. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0.
CORE
WordPress Core
CVE-2025-31922
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31640 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress allows SQL Injection. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through 1.4.
CORE
WordPress Core
CVE-2025-31640
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9831 - Before 3 Plugin
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2024-9831
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-8700 - Event Calendar Plugin
The Event Calendar WordPress plugin through 1.0.4 does not check for authorization on delete actions, allowing unauthenticated users to delete arbitrary calendars.
PLUGIN
Event Calendar
CVE-2024-8700
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-8699 - Before 1 Plugin
The Z-Downloads WordPress plugin before 1.11.5 does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Before 1
CVE-2024-8699
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2024-6719 - Offload Videos Plugin
The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack
PLUGIN
Offload Videos
CVE-2024-6719
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2024-6486 - Imagemagick Engine Imagemagick Engine Plugin
The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution.
PLUGIN
Imagemagick Engine Imagemagick Engine
CVE-2024-6486
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2024-12812 - Before 1 Plugin
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before 1.13.4 is affected by an IDOR issue where employees can manipulate parameters to access the data of terminated employees.
PLUGIN
Before 1
CVE-2024-12812
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2024-12735 - Advance Post Prefix Plugin
The Advance Post Prefix WordPress plugin through 1.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins and above to perform SQL injection attacks
PLUGIN
Advance Post Prefix
CVE-2024-12735
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-11372 - Connexion Logs Plugin
The Connexion Logs WordPress plugin through 3.0.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Connexion Logs
CVE-2024-11372
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-11267 - Jsp Store Locator Plugin
The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks.
PLUGIN
Jsp Store Locator
CVE-2024-11267
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-11269 - Through 1 Plugin
The AHAthat Plugin WordPress plugin through 1.6 does not sanitize and escape a parameter before using it in a SQL statement, allowing Admin to perform SQL injection attacks.
PLUGIN
Through 1
CVE-2024-11269
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-0852 - Activity Logging For Plugin
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored XSS attack against high privilege users such as admin
PLUGIN
Activity Logging For
CVE-2024-0852
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-0249 - Advanced Schedule Posts Plugin
The Advanced Schedule Posts WordPress plugin through 2.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admins.
PLUGIN
Advanced Schedule Posts
CVE-2024-0249
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2023-7239 - Wp Dashboard Notes Plugin
The WP Dashboard Notes WordPress plugin before 1.0.11 does not validate that the user has access to the post_id parameter in its wpdn_update_note AJAX action. This allows users with a role of contributor and above to update notes created by other users.
PLUGIN
Wp Dashboard Notes
CVE-2023-7239
Risk Score
Threat Entry
Updated 2025-06-06
CVE-2023-7231 - Through 1 Plugin
The illi Link Party! WordPress plugin through 1.0 lacks proper access controls, allowing unauthenticated visitors to delete links.
PLUGIN
Through 1
CVE-2023-7231
Risk Score
Threat Entry
Updated 2025-06-11
CVE-2023-7197 - Marketing Twitter Bot Plugin
The Marketing Twitter Bot WordPress plugin through 1.11 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
PLUGIN
Marketing Twitter Bot
CVE-2023-7197
Risk Score