Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-11
CVE-2023-7174 - Abitgone Commentsafe Plugin
The aBitGone CommentSafe WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Abitgone Commentsafe
CVE-2023-7174
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2023-5934 - All Travel Brands In One Place Plugin
The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.13 does not have CSRF check in place when importing settings from the v1, which could allow attackers to make a logged in admin update some settings via a CSRF attack
PLUGIN
All Travel Brands In One Place
CVE-2023-5934
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2024-13914 - File Manager Advanced Shortcode Plugin
The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the 'file_manager_advanced' shortcode. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary JavaScript files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Sites currently using 2.5.4 (file-manager-advanced-shortcode) should be updated to…
PLUGIN
File Manager Advanced Shortcode
CVE-2024-13914
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-3053 - Admin Themes And Pages Plugin
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
PLUGIN
Admin Themes And Pages
CVE-2025-3053
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4579 - Wp Content Security Policy Plugin
The WP Content Security Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Content Security Policy
CVE-2025-4579
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4474 - Frontend Dashboard Plugin
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.
PLUGIN
Frontend Dashboard
CVE-2025-4474
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4473 - Frontend Dashboard Plugin
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to control where the plugin sends outgoing emails. By pointing SMTP to their own server, attackers could capture password reset emails intended for administrators, and elevate their privileges for full site takeover.
PLUGIN
Frontend Dashboard
CVE-2025-4473
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4317 - Thegem Theme
The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Thegem
CVE-2025-4317
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4396 - A Better Search Plugin
The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 (Free) and
PLUGIN
A Better Search
CVE-2025-4396
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3876 - Sms Alert Order Notifications Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to insufficient user OTP validation in the handleWpLoginCreateUserAction() function in all versions up to, and including, 3.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate any account by supplying its username or email and elevate their privileges to that of an administrator.
PLUGIN
Sms Alert Order Notifications
CVE-2025-3876
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2025-2158 - Wp Review Plugin
The WordPress Review Plugin: The Ultimate Solution for Building a Review Website plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.3.5 via the Post custom fields. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP file types can be uploaded and…
PLUGIN
Wp Review
CVE-2025-2158
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2025-4206 - Groundhogg Plugin
The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'process_export_delete' and 'process_import_delete' functions in all versions up to, and including, 4.1.1.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Groundhogg
CVE-2025-4206
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2025-3455 - 1 Click Migration Plugin
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore' function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
1 Click Migration
CVE-2025-3455
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3419 - Eventin Plugin
The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 4.0.26 via the proxy_image() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Eventin
CVE-2025-3419
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-13793 - Multi Vendor Marketplace Woocommerce Theme
The Wolmart | Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
Multi Vendor Marketplace Woocommerce Theme
CVE-2024-13793
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-4335 - Woocommerce Multiple Addresses Plugin
The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Woocommerce Multiple Addresses
CVE-2025-4335
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3921 - Peprodev Ups Plugin
The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0.
PLUGIN
Peprodev Ups
CVE-2025-3921
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3852 - E Commerce Plugin
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
E Commerce
CVE-2025-3852
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-0856 - Pgs Core Plugin
The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.
PLUGIN
Pgs Core
CVE-2025-0856
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-0853 - Pgs Core Plugin
The PGS Core plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'save_header_builder' function in all versions up to, and including, 5.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Pgs Core
CVE-2025-0853
Risk Score