Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-21
CVE-2025-11802 - Bulma Shortcodes Plugin
The Bulma Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' shortcode attribute in the bulma-notification shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bulma Shortcodes
CVE-2025-11802
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11801 - Audiotube Plugin
The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Audiotube
CVE-2025-11801
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11800 - Surbma Minicrm Shortcode Plugin
The Surbma | MiniCRM Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'minicrm' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Surbma Minicrm Shortcode
CVE-2025-11800
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11885 - Echbay Admin Security Plugin
The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Echbay Admin Security
CVE-2025-11885
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11815 - Admin Themes And Pages Plugin
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the uip_save_site_option() function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings. Other AJAX actions are also affected.
PLUGIN
Admin Themes And Pages
CVE-2025-11815
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11799 - Affiliate Ai Lite Plugin
The Affiliate AI Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'asin' shortcode attribute in the affiai_img shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Affiliate Ai Lite
CVE-2025-11799
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11770 - Brighttalk Wp Shortcode Plugin
The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Brighttalk Wp Shortcode
CVE-2025-11770
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11771 - Tokenico Cryptocurrency Token Launchpad Presale Ico Ido Airdrop Plugin
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters.
PLUGIN
Tokenico Cryptocurrency Token Launchpad Presale Ico Ido Airdrop
CVE-2025-11771
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11773 - Tokenico Cryptocurrency Token Launchpad Presale Ico Ido Airdrop Plugin
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveDeployedContract' function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the WordPress option `tokenico_deployed_contracts`, poisoning the smart contract addresses displayed.
PLUGIN
Tokenico Cryptocurrency Token Launchpad Presale Ico Ido Airdrop
CVE-2025-11773
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11768 - Islamic Phrases Plugin
The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Islamic Phrases
CVE-2025-11768
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11767 - Tips Shortcode Plugin
The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tips Shortcode
CVE-2025-11767
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11765 - Stock Tools Plugin
The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stock Tools
CVE-2025-11765
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11764 - Shortcodes Bootstrap Plugin
The Shortcodes Bootstrap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in the [notification] shortcode in all versions up to, and including, 1.1. This is due to missing input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodes Bootstrap
CVE-2025-11764
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-10938 - Uipress Lite Plugin
The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uip_process_block_query' AJAX function. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive user data including password hashes, emails, and other user information that could be used for account takeover attacks.
PLUGIN
Uipress Lite
CVE-2025-10938
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11763 - Display Pages Shortcode Plugin
The Display Pages Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column_count' parameter in the [display-pages] shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Display Pages Shortcode
CVE-2025-11763
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11003 - Uipress Lite Plugin
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_ui_template' function in all versions up to, and including, 3.5.08. This makes it possible for authenticated attackers, with Subscriber-level access and above, to save templates that contain custom JavaScript.
PLUGIN
Uipress Lite
CVE-2025-11003
Risk Score
Threat Entry
Updated 2025-12-03
CVE-2025-12169 - Wsdesk Plugin
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_eh_crm_settings_empty_scheduled_actions' AJAX Action in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the scheduled triggers option.
PLUGIN
Wsdesk
CVE-2025-12169
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-11368 - Wordpress Lms Plugin
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax which allows arbitrary callback execution of admin-only template methods. This makes it possible for unauthenticated attackers to retrieve admin curriculum HTML, quiz questions with correct answers, course materials, and other sensitive educational content via the REST API endpoint granted they can supply valid numeric IDs.
PLUGIN
Wordpress Lms
CVE-2025-11368
Risk Score
Threat Entry
Updated 2025-12-03
CVE-2025-12085 - Wsdesk Plugin
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'eh_crm_settings_empty_trash' function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to empty the ticket trash.
PLUGIN
Wsdesk
CVE-2025-12085
Risk Score
Threat Entry
Updated 2025-12-03
CVE-2025-12023 - Wsdesk Plugin
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_crm_restore_data() function in all versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to restore tickets.
PLUGIN
Wsdesk
CVE-2025-12023
Risk Score