Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-09
CVE-2025-1487 - Wowpth Plugin
The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wowpth
CVE-2025-1487
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-1486 - Wowpth Plugin
The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wowpth
CVE-2025-1486
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-1436 - Limit Bio Plugin
The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Limit Bio
CVE-2025-1436
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-1401 - Wp Click Info Plugin
The WP Click Info WordPress plugin through 2.7.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Click Info
CVE-2025-1401
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13891 - Schedule Plugin
The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Schedule
CVE-2024-13891
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13885 - Wp E Customers Beta Plugin
The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp E Customers Beta
CVE-2024-13885
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13884 - Limit Bio Plugin
The Limit Bio WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Limit Bio
CVE-2024-13884
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2025-1561 - Apppresser Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
PLUGIN
Apppresser
CVE-2025-1561
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-2107 - Arielbrailovsky Viralad Plugin
The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the printResultAndDie() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
PLUGIN
Arielbrailovsky Viralad
CVE-2025-2107
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-2106 - Arielbrailovsky Viralad Plugin
The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
PLUGIN
Arielbrailovsky Viralad
CVE-2025-2106
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1707 - Review Schema – Review & Structure Data Schema Plugin
The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Review Schema – Review & Structure Data Schema Plugin
CVE-2025-1707
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-28894 - This Issue Affects List Of Posts From Each Category Plugin
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
PLUGIN
This Issue Affects List Of Posts From Each Category
CVE-2025-28894
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13864 - Countdown Timer Plugin
The Countdown Timer WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Countdown Timer
CVE-2024-13864
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13862 - S3bubble Amazon Web Services Oembed Media Streaming Support Plugin
The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
S3bubble Amazon Web Services Oembed Media Streaming Support
CVE-2024-13862
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13836 - Wp Login Control Plugin
The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Login Control
CVE-2024-13836
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13574 - Xv Random Quotes Plugin
The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Xv Random Quotes
CVE-2024-13574
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-2169 - WPCS – WordPress Currency Switcher Professional Plugin
The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
WPCS – WordPress Currency Switcher Professional
CVE-2025-2169
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-11638 - Before 6 Plugin
The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.
PLUGIN
Before 6
CVE-2024-11638
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-11640 - Vikrentcar Plugin
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the 'save' function. This makes it possible for unauthenticated attackers to change plugin access privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows attackers with subscriber-level privileges and above to upload arbitrary files on the affected site's server which may make…
PLUGIN
Vikrentcar
CVE-2024-11640
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2025-1323 - Wp Recall Plugin
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Recall
CVE-2025-1323
Risk Score