Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2026-21895 - RSA Plugin
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
PLUGIN
RSA
CVE-2026-21895
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12958 - Rankology Seo And Analytics Tool Plugin
The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks.
PLUGIN
Rankology Seo And Analytics Tool
CVE-2025-12958
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21674 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21674
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21439 - Badkeys Plugin
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.
PLUGIN
Badkeys
CVE-2026-21439
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-9543 - Before 3 Plugin
The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-9543
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21431 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21431
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21437 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21437
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-12654 - Wpvivid Backuprestore Plugin
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
PLUGIN
Wpvivid Backuprestore
CVE-2025-12654
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-9218 - Buddypress Media Plugin
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
PLUGIN
Buddypress Media
CVE-2025-9218
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-10583 - Wp Fastest Cache Plugin
The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Wp Fastest Cache
CVE-2025-10583
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-12954 - Timetable And Event Schedule By Motopress Plugin
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
PLUGIN
Timetable And Event Schedule By Motopress
CVE-2025-12954
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-10636 - Ns Maintenance Mode For Wp Plugin
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ns Maintenance Mode For Wp
CVE-2025-10636
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11888 - All In One Woocommerce Solution Plugin
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
PLUGIN
All In One Woocommerce Solution
CVE-2025-11888
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11244 - Password Protected Plugin
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site…
PLUGIN
Password Protected
CVE-2025-11244
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10723 - Before 11 Plugin
The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks
PLUGIN
Before 11
CVE-2025-10723
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8594 - Before 2 Plugin
The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.
PLUGIN
Before 2
CVE-2025-8594
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8606 - Gsheetconnector For Gravity Forms Plugin
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.
PLUGIN
Gsheetconnector For Gravity Forms
CVE-2025-8606
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10306 - Backup Bolt Plugin
The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations.
PLUGIN
Backup Bolt
CVE-2025-10306
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10173 - All In One Woocommerce Solution Plugin
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
PLUGIN
All In One Woocommerce Solution
CVE-2025-10173
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-8282 - Before 1 Plugin
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-8282
Risk Score