Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-04
CVE-2025-11922 - Inactive Logout Plugin
The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Inactive Logout
CVE-2025-11922
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11816 - Wp Legal Pages Plugin
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the disconnect_account_request() function in all versions up to, and including, 3.5.1. This makes it possible for unauthenticated attackers to disconnect the site from its API plan.
PLUGIN
Wp Legal Pages
CVE-2025-11816
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11174 - Document Library Lite Plugin
The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint.
PLUGIN
Document Library Lite
CVE-2025-11174
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12521 - Analytify Pro Plugin
The Analytify Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.0.3 via the Analytify Tag HTML details. This makes it possible for unauthenticated attackers to extract usernames from source code. While we generally do not assign CVE IDs to username exposure issues, this vendor has specifically requested we consider it a vulnerability.
PLUGIN
Analytify Pro
CVE-2025-12521
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12041 - Eri File Library Plugin
The ERI File Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'erifl_file' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to download files restricted to specific user roles.
PLUGIN
Eri File Library
CVE-2025-12041
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-8383 - Depicter Plugin
The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Depicter
CVE-2025-8383
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12094 - Oopspam Anti Spam Plugin
The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.
PLUGIN
Oopspam Anti Spam
CVE-2025-12094
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12175 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.
PLUGIN
The Events Calendar
CVE-2025-12175
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-8385 - Zombify Plugin
The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately.
PLUGIN
Zombify
CVE-2025-8385
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-11191 - Before 1 Plugin
The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.
PLUGIN
Before 1
CVE-2025-11191
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11806 - Qzzr Shortcode Plugin
The Qzzr Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qzzr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'quiz' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Qzzr Shortcode
CVE-2025-11806
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-11975 - Changeset Plugin
The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.
PLUGIN
Changeset
CVE-2025-11975
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11881 - Mobile App Framework Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.
PLUGIN
Mobile App Framework
CVE-2025-11881
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11627 - Site Checkup Plugin
The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause denial of service via disk space exhaustion.
PLUGIN
Site Checkup
CVE-2025-11627
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-10008 - Weglot Plugin
The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.
PLUGIN
Weglot
CVE-2025-10008
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-12475 - Blocksy Companion Plugin
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blocksy Companion
CVE-2025-12475
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11632 - Call Now Button Plugin
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in…
PLUGIN
Call Now Button
CVE-2025-11632
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-11587 - Call Now Button Plugin
The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.
PLUGIN
Call Now Button
CVE-2025-11587
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-12450 - Litespeed Cache Plugin
The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Litespeed Cache
CVE-2025-12450
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-9544 - Doppler Forms Plugin
The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).
PLUGIN
Doppler Forms
CVE-2025-9544
Risk Score