Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-11
CVE-2025-2809 - Comments Plugin
The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Comments
CVE-2025-2809
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-2805 - Order Post Plugin
The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Order Post
CVE-2025-2805
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-13874 - Before 2 Plugin
The Feedify WordPress plugin before 2.4.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 2
CVE-2024-13874
Risk Score
Threat Entry
Updated 2025-04-11
CVE-2025-3102 - All In One Automation Platform Plugin
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
PLUGIN
All In One Automation Platform
CVE-2025-3102
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-32597 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily allows Cross-Site Scripting (XSS). This issue affects WordPress Events Calendar Plugin – connectDaily: from n/a through 1.4.8.
CORE
WordPress Core
CVE-2025-32597
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-32581 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ankit Singla WordPress Spam Blocker allows Stored XSS. This issue affects WordPress Spam Blocker: from n/a through 2.0.4.
CORE
WordPress Core
CVE-2025-32581
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2807 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2025-2807
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-3064 - Wpfront User Role Editor Plugin
The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
PLUGIN
Wpfront User Role Editor
CVE-2025-3064
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3431 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Zoomsounds
CVE-2025-3431
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2526 - Streamit Theme
The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
THEME
Streamit
CVE-2025-2526
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2525 - Streamit Theme
The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Streamit
CVE-2025-2525
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-13776 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
PLUGIN
Zoomsounds
CVE-2024-13776
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2933 - Email Notifications For Updates Plugin
The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Email Notifications For Updates
CVE-2025-2933
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-0810 - Expand Maker Plugin
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Expand Maker
CVE-2025-0810
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-13604 - Kb Support Plugin
The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
PLUGIN
Kb Support
CVE-2024-13604
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-22282 - Allows Reflected Xss Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EPC ez Form Calculator - WordPress plugin allows Reflected XSS.This issue affects ez Form Calculator - WordPress plugin: from n/a through 2.14.1.2.
PLUGIN
Allows Reflected Xss
CVE-2025-22282
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-3105 - Vehica Core Plugin
The Vehica Core plugin for WordPress, used by the Vehica - Car Dealer & Listing WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 1.0.97. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator.
PLUGIN
Vehica Core
CVE-2025-3105
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2780 - Woffice Plugin
The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woffice
CVE-2025-2780
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2270 - Countdown Builder Plugin
The Countdown, Coming Soon, Maintenance – Countdown & Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific filenames on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in some cases.
PLUGIN
Countdown Builder
CVE-2025-2270
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2317 - Woo Product Filter Plugin
The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woo Product Filter
CVE-2025-2317
Risk Score