Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-12
CVE-2026-22713 - Mediawiki - GrowthExperiments Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - GrowthExperiments Extension
CVE-2026-22713
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22712 - Mediawiki - ApprovedRevs Extension Plugin
Improper Encoding or Escaping of Output due to magic word replacement in ParserAfterTidy vulnerability in The Wikimedia Foundation Mediawiki - ApprovedRevs Extension allows Input Data Manipulation.This issue affects Mediawiki - ApprovedRevs Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - ApprovedRevs Extension
CVE-2026-22712
Risk Score
Threat Entry
Updated 2026-02-12
CVE-2026-22710 - Mediawiki - Wikibase Extension Plugin
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
Mediawiki - Wikibase Extension
CVE-2026-22710
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0747 - Remote Desktop Manager Plugin
Exposure of sensitive information in the TeamViewer entry dashboard component in Devolutions Remote Desktop Manager 2025.3.24.0 through 2025.3.28.0 on Windows allows an external observer to view a password on screen via a defective masking feature, for example during physical observation or screen sharing.
PLUGIN
Remote Desktop Manager
CVE-2026-0747
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-22041 - Loggingredactor Plugin
Logging Redactor is a Python library designed to redact sensitive data in logs based on regex patterns and / or dictionary keys. Prior to version 0.0.6, non-string types are converted into string types, leading to type errors in %d conversions. The problem has been patched in version 0.0.6. No known workarounds are available.
PLUGIN
Loggingredactor
CVE-2026-22041
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-21895 - RSA Plugin
The `rsa` crate is an RSA implementation written in rust. Prior to version 0.9.10, when creating a RSA private key from its components, the construction panics instead of returning an error when one of the primes is `1`. Version 0.9.10 fixes the issue.
PLUGIN
RSA
CVE-2026-21895
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12958 - Rankology Seo And Analytics Tool Plugin
The Rankology SEO and Analytics Tool plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect capability check on the 'rankology_code_block' page in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Editor-level access and above, to add header and footer code blocks.
PLUGIN
Rankology Seo And Analytics Tool
CVE-2025-12958
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21674 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21674
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21439 - Badkeys Plugin
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.
PLUGIN
Badkeys
CVE-2026-21439
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-9543 - Before 3 Plugin
The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 3
CVE-2025-9543
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2026-21431 - Emlog Plugin
Emlog is an open source website building system. Version 2.5.23 has a stored cross-site scripting vulnerability in the `Resource media library ` function while publishing an article. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21431
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21437 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21437
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-12654 - Wpvivid Backuprestore Plugin
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories.
PLUGIN
Wpvivid Backuprestore
CVE-2025-12654
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-9218 - Buddypress Media Plugin
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
PLUGIN
Buddypress Media
CVE-2025-9218
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-10583 - Wp Fastest Cache Plugin
The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Wp Fastest Cache
CVE-2025-10583
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-12954 - Timetable And Event Schedule By Motopress Plugin
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor.
PLUGIN
Timetable And Event Schedule By Motopress
CVE-2025-12954
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-10636 - Ns Maintenance Mode For Wp Plugin
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ns Maintenance Mode For Wp
CVE-2025-10636
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11888 - All In One Woocommerce Solution Plugin
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
PLUGIN
All In One Woocommerce Solution
CVE-2025-11888
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11244 - Password Protected Plugin
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site…
PLUGIN
Password Protected
CVE-2025-11244
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10723 - Before 11 Plugin
The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks
PLUGIN
Before 11
CVE-2025-10723
Risk Score