Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-04
CVE-2025-12887 - Post Smtp Plugin
The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticated attackers, with subscriber level access and above, to inject invalid or attacker-controlled OAuth credentials.
PLUGIN
Post Smtp
CVE-2025-12887
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13109 - Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to insert or remove arbitrary saved search queries into any user's profile, including administrators.
PLUGIN
Products Filter Professional For Woocommerce
CVE-2025-13109
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-12358 - Shopengine Elementor Woocommerce Builder Addon Plugin
The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" function. This makes it possible for unauthenticated attackers to add or remove products from a user's wishlist via a forged request granted they can trick a site's user into performing an action such as clicking on a link.
PLUGIN
Shopengine Elementor Woocommerce Builder Addon
CVE-2025-12358
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-12585 - Mxchat Basic Plugin
The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data.
PLUGIN
Mxchat Basic
CVE-2025-12585
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13495 - Fluent Cart Plugin
The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Fluent Cart
CVE-2025-13495
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-10304 - Cloning Plugin
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unlink() function in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to delete the back-up progress files and cause a back-up to fail while it is in progress.
PLUGIN
Cloning
CVE-2025-10304
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13448 - Cssigniter Shortcodes Plugin
The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cssigniter Shortcodes
CVE-2025-13448
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-12630 - Before 1 Plugin
The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.
PLUGIN
Before 1
CVE-2025-12630
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13731 - Nexter Extension Plugin
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nexter Extension
CVE-2025-13731
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13090 - Wp Directory Kit Plugin
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Directory Kit
CVE-2025-13090
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13534 - Wsdesk Plugin
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization checks on the eh_crm_edit_agent AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to escalate their WSDesk privileges from limited "Reply Tickets" permissions to full helpdesk administrator capabilities, gaining unauthorized access to ticket management, settings configuration, agent administration, and sensitive customer data.
PLUGIN
Wsdesk
CVE-2025-13534
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13696 - Zigaform Calculator Cost Estimation Form Builder Lite Plugin
The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This makes it possible for unauthenticated attackers to extract sensitive form submission data including personal information, payment details, and other private data via the rocket_front_payment_seesummary action by enumerating sequential form_r_id values.
PLUGIN
Zigaform Calculator Cost Estimation Form Builder Lite
CVE-2025-13696
Risk Score
Threat Entry
Updated 2025-12-11
CVE-2025-11726 - Beaver Builder Plugin
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. This makes it possible for authenticated attackers with contributor-level access and above to add, modify, or delete global color and background presets that affect all Beaver Builder content site-wide.
PLUGIN
Beaver Builder
CVE-2025-11726
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13007 - Wp Social Reviews Plugin
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can post malicious content to a connected Google Business Profile or Facebook page.
PLUGIN
Wp Social Reviews
CVE-2025-13007
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13685 - Gallery Photo Gallery Plugin
The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attackers to perform bulk operations (delete, publish, or unpublish galleries) via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Gallery Photo Gallery
CVE-2025-13685
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13140 - Drop Wordpress Form Builder Plugin
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to delete surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Drop Wordpress Form Builder
CVE-2025-13140
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-12483 - Tables And Charts Manager For Wordpress Plugin
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14…
PLUGIN
Tables And Charts Manager For Wordpress
CVE-2025-12483
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2025-13001 - Donations Plugin
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
PLUGIN
Donations
CVE-2025-13001
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13606 - Users Plugin
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers to export sensitive information including user data, email addresses, password hashes, and WooCommerce data to an attacker-controlled file path on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Users
CVE-2025-13606
Risk Score
Threat Entry
Updated 2025-12-02
CVE-2025-13697 - Template Library Plugin
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’ attribute in all versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Template Library
CVE-2025-13697
Risk Score