Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-21
CVE-2025-11895 - Binary Mlm Plan Plugin
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
PLUGIN
Binary Mlm Plan
CVE-2025-11895
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10849 - Felan Framework Plugin
The Felan Framework plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_plugin_actions' function called via an AJAX action in versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to activate or deactivate arbitrary plugins.
PLUGIN
Felan Framework
CVE-2025-10849
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11814 - Ultimate Addons For Wpbakery Plugin
The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Wpbakery
CVE-2025-11814
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10700 - Usability Plugin
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the enable_unfiltered_files_upload function. This makes it possible for unauthenticated attackers to enable unfiltered file upload and add svg files to the upload list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Usability
CVE-2025-10700
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11728 - Oceanpayment Creditcard Gateway Plugin
The Oceanpayment CreditCard Gateway plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'return_payment' and 'notice_payment' functions in all versions up to, and including, 6.0. This makes it possible for unauthenticated attackers to update WooCommerce orders to 'failed' status, and update transaction IDs.
PLUGIN
Oceanpayment Creditcard Gateway
CVE-2025-11728
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11365 - Wp Google Map Plugin
The WP Google Map Plugin plugin for WordPress is vulnerable to blind SQL Injection via the 'id' parameter of the 'google_map' shortcode in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Google Map
CVE-2025-11365
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11701 - Zip Attachments Plugin
The Zip Attachments plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check as well as missing post status validation in the za_create_zip_callback function in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to download attachments from private and password-protected posts.
PLUGIN
Zip Attachments
CVE-2025-11701
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11692 - Zip Attachments Plugin
The Zip Attachments plugin for WordPress is vulnerable to unauthorized loss of data due to a missing authorization and capability checks on the download.php file in all versions up to, and including, 1.6. This makes it possible for unauthenticated attackers to delete arbitrary files from the current wp_upload_dir directory.
PLUGIN
Zip Attachments
CVE-2025-11692
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11196 - External Login Plugin
The External Login plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.11.2 due to the 'exlog_test_connection' AJAX action lacking capability checks or nonce validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to query the configured external database and retrieve truncated usernames, email addresses, and password hashes via the diagnostic test results view.
PLUGIN
External Login
CVE-2025-11196
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10730 - Wp Tabber Widget Plugin
The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Tabber Widget
CVE-2025-10730
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10682 - Tariffuxx Plugin
The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode.
PLUGIN
Tariffuxx
CVE-2025-10682
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10660 - Wp Dashboard Chat Plugin
The WP Dashboard Chat plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Dashboard Chat
CVE-2025-10660
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10575 - Wp Jquery Pdf Paged Plugin
The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::get_gallery_page_imgs() function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Jquery Pdf Paged
CVE-2025-10575
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10648 - Login With Yourmembership Plugin
The YourMembership Single Sign On – YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'moym_display_test_attributes' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login.
PLUGIN
Login With Yourmembership
CVE-2025-10648
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10486 - Content Writer Plugin
The Content Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.8 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
PLUGIN
Content Writer
CVE-2025-10486
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10312 - Theme Importer Plugin
The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger arbitrary file downloads and potentially execute malicious operations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Theme Importer
CVE-2025-10312
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10310 - Rich Snippet Site Report Plugin
The Rich Snippet Site Report plugin for WordPress is vulnerable to SQL Injection via the 'last' parameter in all versions up to, and including, 2.0.0105 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be exploited via CSRF.
PLUGIN
Rich Snippet Site Report
CVE-2025-10310
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10303 - Library Management System Plugin
The Library Management System plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the owt7_library_management_ajax_handler() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and manipulate several of the plugin's settings and features.
PLUGIN
Library Management System
CVE-2025-10303
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10301 - Funkitools Plugin
The FunKItools plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the saveFields() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Funkitools
CVE-2025-10301
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10300 - Topbar Plugin
The TopBar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the fme_nb_topbar_save_settings() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Topbar
CVE-2025-10300
Risk Score