Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-14
CVE-2025-10048 - My Auctions Allegro Plugin
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 3.6.31 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
My Auctions Allegro
CVE-2025-10048
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9560 - Colibri Page Builder Plugin
The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's colibri_newsletter shortcode in all versions up to, and including, 1.0.334 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Colibri Page Builder
CVE-2025-9560
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-11380 - Cloning Plugin
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'everest_process_status' AJAX action in all versions up to, and including, 2.3.5. This makes it possible for unauthenticated attackers to retrieve back-up file locations that can be subsequently accessed and downloaded. This does require a back-up to be running in order for an attacker to retrieve the back-up location.
PLUGIN
Cloning
CVE-2025-11380
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-7781 - Wp Jobhunt Plugin
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Stored Cross-Site Scripting via the ‘cs_job_title’ parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Jobhunt
CVE-2025-7781
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-7374 - Wp Jobhunt Plugin
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- and Employer-level access and above, to log in to the site even if their account is inactive or pending.
PLUGIN
Wp Jobhunt
CVE-2025-7374
Risk Score
Threat Entry
Updated 2025-11-13
CVE-2025-10124 - Booking Manager Plugin
The Booking Manager WordPress plugin before 2.1.15 registers a shortcode that deletes bookings and makes that shortcode available to anyone with contributor and above privileges. When a page containing the shortcode is visited, the bookings are deleted.
PLUGIN
Booking Manager
CVE-2025-10124
Risk Score
Threat Entry
Updated 2025-10-09
CVE-2025-9371 - Betheme
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Betheme
CVE-2025-9371
Risk Score
Threat Entry
Updated 2025-10-09
CVE-2025-10249 - Slider Revolution Plugin
The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above, to install and activate plugin add-ons, create sliders, and download arbitrary files.
PLUGIN
Slider Revolution
CVE-2025-10249
Risk Score
Threat Entry
Updated 2025-10-09
CVE-2025-11166 - Wp Google Maps Plugin
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 9.0.46. This is due to the plugin exposing state-changing REST actions through an AJAX bridge without proper CSRF token validation, and having destructive logic reachable via GET requests with no permission_callback. This makes it possible for unauthenticated attackers to force logged-in administrators to create, update, or delete markers and geometry features via CSRF attacks, and allows anonymous users to trigger mass deletion of markers via…
PLUGIN
Wp Google Maps
CVE-2025-11166
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10649 - Welcart E Commerce Plugin
The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Welcart E Commerce
CVE-2025-10649
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-11171 - Chart Builder Plugin
The Chartify – WordPress Chart Plugin for WordPress is vulnerable to Missing Authentication for Critical Function in all versions up to, and including, 3.5.9. This is due to the plugin registering an unauthenticated AJAX action that dispatches to admin-class methods based on a request parameter, without any nonce or capability checks. This makes it possible for unauthenticated attackers to execute administrative functions via the wp-admin/admin-ajax.php endpoint granted they can identify callable method names.
PLUGIN
Chart Builder
CVE-2025-11171
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-10645 - Wp Reset Plugin
The WP Reset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.05 via the WF_Licensing::log() method when debugging is enabled (default). This makes it possible for unauthenticated attackers to extract sensitive license key and site data.
PLUGIN
Wp Reset
CVE-2025-10645
Risk Score
Threat Entry
Updated 2025-10-08
CVE-2025-7400 - Changeset Plugin
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a post's Featured Image custom fields in all versions up to, and including, 5.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 5.2.2.
PLUGIN
Changeset
CVE-2025-7400
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9710 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.3 does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks.
PLUGIN
Before 2
CVE-2025-9710
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9703 - Before 2 Plugin
The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) WordPress plugin before 2.5.0 does not sanitize SVG file contents when uploaded through the xmlrpc.php endpoint using base64 encode, leading to a Cross-Site Scripting vulnerability.
PLUGIN
Before 2
CVE-2025-9703
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9952 - Text To Speech Ai Audio Player To Convert Content Into Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'range-date' parameter in all versions up to, and including, 5.20.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Text To Speech Ai Audio Player To Convert Content Into Audio
CVE-2025-9952
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9886 - Trinity Audio Plugin
The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Trinity Audio
CVE-2025-9886
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10383 - Contest Gallery Plugin
The Contest Gallery – Upload, Vote & Sell with PayPal and Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple form field parameters in all versions up to, and including, 27.0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with author-level access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contest Gallery
CVE-2025-10383
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9030 - Majestic Before After Image Plugin
The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Majestic Before After Image
CVE-2025-9030
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-8726 - Wp Photo Album Plus Plugin
The WP Photo Album Plus plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 9.0.11.006 due to insufficient input sanitization and output escaping in the wppa_user_upload function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in the photo album descriptions that execute in a victim's browser.
PLUGIN
Wp Photo Album Plus
CVE-2025-8726
Risk Score