Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-27
CVE-2025-12005 - 360 Panorama And Free Virtual Tour Builder For Wordpress Plugin
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
PLUGIN
360 Panorama And Free Virtual Tour Builder For Wordpress
CVE-2025-12005
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10737 - Open Source Genesis Framework Theme
The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Open Source Genesis Framework
CVE-2025-10737
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10694 - And Polls In Seconds Plugin
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
PLUGIN
And Polls In Seconds
CVE-2025-10694
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11823 - Shoplentor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shoplentor
CVE-2025-11823
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10579 - Restore Plugin
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).
PLUGIN
Restore
CVE-2025-10579
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11760 - Eroom Zoom Meetings Webinar Plugin
The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.
PLUGIN
Eroom Zoom Meetings Webinar
CVE-2025-11760
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11576 - Virtual Assistant Plugin
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Virtual Assistant
CVE-2025-11576
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12136 - Eprivacy Cookie Consent Plugin
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
PLUGIN
Eprivacy Cookie Consent
CVE-2025-12136
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12134 - Patterns Plugin
The ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups.
PLUGIN
Patterns
CVE-2025-12134
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12096 - Simple Excel Pricelist For Woocommerce Plugin
The Simple Excel Pricelist for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricelist' shortcode in all versions up to, and including, 1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Excel Pricelist For Woocommerce
CVE-2025-12096
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12017 - Vnpay For Woocommerce Plugin
The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Vnpay For Woocommerce
CVE-2025-12017
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12072 - Disable Contect Editor For Specific Template Plugin
The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Disable Contect Editor For Specific Template
CVE-2025-12072
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11992 - Multi Item Responsive Slider Plugin
The Multi Item Responsive Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'mioptions.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Multi Item Responsive Slider
CVE-2025-11992
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12016 - Qnotsquiz Plugin
The qnotsquiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qnotsquiz_custom_start_text' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Qnotsquiz
CVE-2025-12016
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12014 - Nginx Cache Optimizer Plugin
The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting.
PLUGIN
Nginx Cache Optimizer
CVE-2025-12014
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11887 - Supervisor Plugin
The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings.
PLUGIN
Supervisor
CVE-2025-11887
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11257 - Llm Hubspot Blog Import Plugin
The LLM Hubspot Blog Import plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_save_blogs' AJAX endpoint in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger an import of all Hubspot data.
PLUGIN
Llm Hubspot Blog Import
CVE-2025-11257
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11172 - Check Plagiarism Plugin
The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chk_plag_mine_plugin_wpse10500_admin_action() function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the API key.
PLUGIN
Check Plagiarism
CVE-2025-11172
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10902 - Originality Ai Plugin
The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
PLUGIN
Originality Ai
CVE-2025-10902
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10748 - Rapidresult Plugin
The RapidResult plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level permissions and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Rapidresult
CVE-2025-10748
Risk Score