Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-16
CVE-2025-10194 - Shortcode Button Plugin
The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcode Button
CVE-2025-10194
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10141 - Digiseller Plugin
The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Digiseller
CVE-2025-10141
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10140 - Quick Login Plugin
The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Quick Login
CVE-2025-10140
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10186 - Wp Whydonate Plugin
The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.14. This makes it possible for unauthenticated attackers to delete rows from the wp_wdplugin_style table.
PLUGIN
Wp Whydonate
CVE-2025-10186
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10139 - Wp Bookwidgets Plugin
The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bw_link' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Bookwidgets
CVE-2025-10139
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10135 - Wp Viewstl Plugin
The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Viewstl
CVE-2025-10135
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10133 - Urlyar Url Shortner Plugin
The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Urlyar Url Shortner
CVE-2025-10133
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10132 - Dhivehi Text Plugin
The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dhivehi Text
CVE-2025-10132
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10056 - Task Scheduler Plugin
The Task Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.3 via the “Check Website” task. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Task Scheduler
CVE-2025-10056
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10038 - Binary Mlm Plan Plugin
The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
PLUGIN
Binary Mlm Plan
CVE-2025-10038
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10045 - Onoffice For Wp Websites Plugin
The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Onoffice For Wp Websites
CVE-2025-10045
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11161 - Page Builder Plugin
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vc_custom_heading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the font_container parameter. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in posts that will execute whenever a user accesses an injected page via the vc_custom_heading shortcode with malicious tag and text attributes granted they have access to use…
PLUGIN
Page Builder
CVE-2025-11161
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11160 - Page Builder Plugin
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes it possible for authenticated attackers with contributor-level access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the WPBakery Page Builder Custom JS module granted they have access to the WPBakery editor…
PLUGIN
Page Builder
CVE-2025-11160
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-8561 - Ova Advent Plugin
The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ova Advent
CVE-2025-8561
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11176 - Quick Featured Images Plugin
The Quick Featured Images plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 13.7.2 via the qfi_set_thumbnail and qfi_delete_thumbnail AJAX actions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to change or remove featured images of other user's posts.
PLUGIN
Quick Featured Images
CVE-2025-11176
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10406 - Blindmatrix E Commerce Plugin
The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.
PLUGIN
Blindmatrix E Commerce
CVE-2025-10406
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10732 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2025-10732
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10357 - Before 2 Plugin
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-10357
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9698 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Plus Addons For Elementor
CVE-2025-9698
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9975 - Wp Scraper Plugin
The WP Scraper plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.8.1 via the wp_scraper_extract_content function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.
PLUGIN
Wp Scraper
CVE-2025-9975
Risk Score