Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-15
CVE-2025-3650 - Jquery Colorbox Plugin
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
PLUGIN
Jquery Colorbox
CVE-2025-3650
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-9111 - Ai Chatbot For Wordpress Plugin
The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ai Chatbot For Wordpress
CVE-2025-9111
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2025-8889 - Before 1 Plugin
The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Before 1
CVE-2025-8889
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8013 - Quttera Web Malware Scanner Plugin
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Quttera Web Malware Scanner
CVE-2025-8013
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-54352 - WordPress Core
WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.
CORE
WordPress Core
CVE-2025-54352
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-4654 - Soumettre Fr Plugin
The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)
PLUGIN
Soumettre Fr
CVE-2025-4654
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2024-7762 - Simple Job Board Plugin
The Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes
PLUGIN
Simple Job Board
CVE-2024-7762
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-6711 - Event Tickets With Ticket Scanner Plugin
The Event Tickets with Ticket Scanner WordPress plugin before 2.3.8 does not sanitise and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks
PLUGIN
Event Tickets With Ticket Scanner
CVE-2024-6711
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-4091 - Responsive Gallery Grid Plugin
The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
PLUGIN
Responsive Gallery Grid
CVE-2024-4091
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-4004 - Advanced Cron Manager Plugin
The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Advanced Cron Manager
CVE-2024-4004
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-4002 - Gallery By Wp Carousel Plugin
The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Gallery By Wp Carousel
CVE-2024-4002
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-3996 - Smart Post Show Plugin
The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
PLUGIN
Smart Post Show
CVE-2024-3996
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2024-12767 - Buddyboss Platform Plugin
The buddyboss-platform WordPress plugin before 2.7.60 lacks proper access controls and allows a logged-in user to view comments on private posts
PLUGIN
Buddyboss Platform
CVE-2024-12767
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-11140 - Real Wp Shop Lite Ajax Ecommerce Shopping Cart Plugin
The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Real Wp Shop Lite Ajax Ecommerce Shopping Cart
CVE-2024-11140
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2024-10098 - Before 2 Plugin
The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain
PLUGIN
Before 2
CVE-2024-10098
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2023-7297 - Through 1 Plugin
The TwitterPosts WordPress plugin through 1.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Through 1
CVE-2023-7297
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3514 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2025-3514
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3513 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 1
CVE-2025-3513
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-12273 - Calculated Fields Form Plugin
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Calculated Fields Form
CVE-2024-12273
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-0627 - And Taxonomy Manager Plugin
The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
And Taxonomy Manager
CVE-2025-0627
Risk Score