Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-21
CVE-2025-3809 - Debug Log Manager Plugin
The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Debug Log Manager
CVE-2025-3809
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-13926 - Through 1 Plugin
The WP-Syntax WordPress plugin through 1.2 does not properly handle input, allowing an attacker to create a post containing a large number of tags, thereby exploiting a catastrophic backtracking issue in the regular expression processing to cause a DoS.
PLUGIN
Through 1
CVE-2024-13926
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3103 - Html5 Radio Player With History Shoutcast And Icecast Elementor Widget Addon Plugin
The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
PLUGIN
Html5 Radio Player With History Shoutcast And Icecast Elementor Widget Addon
CVE-2025-3103
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-2010 - Career Page And Recruitment Plugin
The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Career Page And Recruitment
CVE-2025-2010
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3520 - Avatar Plugin
The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Avatar
CVE-2025-3520
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-39431 - Allows Stored Xss Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin allows Stored XSS. This issue affects Amazon Showcase WordPress Plugin: from n/a through 2.2.
PLUGIN
Allows Stored Xss
CVE-2025-39431
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-39417 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in Eslam Mahmoud Redirect wordpress to welcome or landing page allows Stored XSS. This issue affects Redirect wordpress to welcome or landing page: from n/a through 2.0.
CORE
WordPress Core
CVE-2025-39417
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-32630 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Reflected XSS. This issue affects WP-BusinessDirectory: from n/a through 3.1.2.
CORE
WordPress Core
CVE-2025-32630
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-32592 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Stored XSS. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.3.
CORE
WordPress Core
CVE-2025-32592
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-32520 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Ali Saleem WordPress Health and Server Condition – Integrated with Google Page Speed allows Reflected XSS. This issue affects WordPress Health and Server Condition – Integrated with Google Page Speed: from n/a through 4.1.1.
CORE
WordPress Core
CVE-2025-32520
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-27291 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxgallery WordPress Photo Gallery – Image Gallery allows Reflected XSS. This issue affects WordPress Photo Gallery – Image Gallery: from n/a through 2.0.4.
CORE
WordPress Core
CVE-2025-27291
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-24548 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Autoglot Autoglot – Automatic WordPress Translation allows Reflected XSS. This issue affects Autoglot – Automatic WordPress Translation: from n/a through 2.4.7.
CORE
WordPress Core
CVE-2025-24548
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13925 - Klarna Checkout For Woocommerce Plugin
The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.
PLUGIN
Klarna Checkout For Woocommerce
CVE-2024-13925
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-3294 - Wp Editor Plugin
The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.
PLUGIN
Wp Editor
CVE-2025-3294
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-2563 - Before 4 Plugin
The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges
PLUGIN
Before 4
CVE-2025-2563
Risk Score
Threat Entry
Updated 2025-04-15
CVE-2025-3418 - Wpc Admin Columns Plugin
The WPC Admin Columns plugin for WordPress is vulnerable to privilege escalation in versions 2.0.6 to 2.1.0. This is due to the plugin not properly restricting user meta values that can be updated through the ajax_edit_save() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.
PLUGIN
Wpc Admin Columns
CVE-2025-3418
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-3434 - Smtp Amazon Ses Plugin
The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smtp Amazon Ses
CVE-2025-3434
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-32629 - WordPress Core
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Path Traversal. This issue affects WP-BusinessDirectory: from n/a through 3.1.2.
CORE
WordPress Core
CVE-2025-32629
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-31015 - WordPress Core
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk allows PHP Local File Inclusion. This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through 1.3.1.
CORE
WordPress Core
CVE-2025-31015
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-3417 - Embedder Plugin
The Embedder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_set_global_option() function in versions 1.3 to 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Embedder
CVE-2025-3417
Risk Score