Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-14
CVE-2025-9950 - Error Log Viewer Plugin
The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Error Log Viewer
CVE-2025-9950
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9947 - Custom 404 Pro Plugin
The Custom 404 Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘path’ parameter in all versions up to, and including, 3.12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Custom 404 Pro
CVE-2025-9947
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9626 - Page Blocks Plugin
The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Page Blocks
CVE-2025-9626
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9621 - Widgetpack Comment System Plugin
The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Widgetpack Comment System
CVE-2025-9621
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8682 - Newsup Theme
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
THEME
Newsup
CVE-2025-8682
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-7652 - Easy Plugin Stats
The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Plugin Stats
CVE-2025-7652
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8484 - Code Quality Control Tool Plugin
The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
PLUGIN
Code Quality Control Tool
CVE-2025-8484
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10190 - Wp Easy Toggles Plugin
The WP Easy Toggles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggles' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Toggles
CVE-2025-10190
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10376 - Course Redirects For Learndash Plugin
The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Course Redirects For Learndash
CVE-2025-10376
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10375 - Web Accessibility By Accessibe Plugin
The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Web Accessibility By Accessibe
CVE-2025-10375
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10175 - Wp Links Page Plugin
The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Links Page
CVE-2025-10175
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10167 - Stock Snapshot For Woocommerce Plugin
The Stock History & Reports Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_stock_snapshot_restocked shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stock Snapshot For Woocommerce
CVE-2025-10167
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10129 - Wp Webcam Widget Shortcode Plugin
The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Webcam Widget Shortcode
CVE-2025-10129
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11518 - Wpc Smart Wishlist For Woocommerce Plugin
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via several wishlist AJAX functions due to missing validation on a user controlled key that is exposed when wishlists are shared. This makes it possible for unauthenticated attackers to empty and add to other user's wishlists, if they have access to the key.
PLUGIN
Wpc Smart Wishlist For Woocommerce
CVE-2025-11518
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11254 - Sell With Paypal And Stripe Plugin
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 27.0.3 via gallery submissions. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Sell With Paypal And Stripe
CVE-2025-11254
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11167 - Tailored Tool For Seamless Login And Invitation Based Registrations Plugin
The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Tailored Tool For Seamless Login And Invitation Based Registrations
CVE-2025-11167
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9496 - Enable Media Replace Plugin
The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file_modified shortcode in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Enable Media Replace
CVE-2025-9496
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9196 - Text To Speech Ai Audio Player To Convert Content Into Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the ~/admin/inc/phpinfo.php file that gets created on install. This makes it possible for unauthenticated attackers to extract sensitive data including configuration data.
PLUGIN
Text To Speech Ai Audio Player To Convert Content Into Audio
CVE-2025-9196
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11197 - Draft List Plugin
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Draft List
CVE-2025-11197
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10185 - Nex Forms Express Wp Form Builder Plugin
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in the action nf_load_form_entries in all versions up to, and including, 9.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower-level users…
PLUGIN
Nex Forms Express Wp Form Builder
CVE-2025-10185
Risk Score