Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-06
CVE-2025-9029 - Widget Builder Plugin
The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkit_handle_review_submission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to submit feedback data to external services.
PLUGIN
Widget Builder
CVE-2025-9029
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11228 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `registerAssociateFormsWithCampaign` function in all versions up to, and including, 4.10.0. This makes it possible for unauthenticated attackers to associate any donation forms with any campaign.
PLUGIN
Givewp
CVE-2025-11228
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11227 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.10.0 via the 'registerGetForm', 'registerGetForms', 'registerGetCampaign' and 'registerGetCampaigns' functions due to a missing capability check. This makes it possible for unauthenticated attackers to extract data from private and draft donation forms, as well as archived campaigns.
PLUGIN
Givewp
CVE-2025-11227
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-10746 - Integrate Dynamics 365 Crm Plugin
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.9. This is due to missing capability checks and nonce verification on functions hooked to 'init'. This makes it possible for unauthenticated attackers to deactivate the plugin, tamper with OAuth configuration, and trigger test connections that expose sensitive data via direct request to vulnerable endpoints granted they can craft malicious requests with specific parameters.
PLUGIN
Integrate Dynamics 365 Crm
CVE-2025-10746
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9892 - Restrict User Registration Plugin
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Restrict User Registration
CVE-2025-9892
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9945 - Optimize More Css Plugin
The Optimize More! – CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the reset_plugin function. This makes it possible for unauthenticated attackers to reset the plugin's optimization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Optimize More Css
CVE-2025-9945
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9897 - Ap Background Plugin
The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modify background sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ap Background
CVE-2025-9897
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9895 - Simple Bar Plugin
The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Bar
CVE-2025-9895
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9889 - Contentmx Content Publisher Plugin
The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind their own ContentMX connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Contentmx Content Publisher
CVE-2025-9889
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9876 - Ird Slider Plugin
The Ird Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irdslider' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ird Slider
CVE-2025-9876
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9875 - Ticket Spot Plugin
The Event Tickets, RSVPs, Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ticket_spot' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ticket Spot
CVE-2025-9875
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9859 - Fintelligence Calculator Plugin
The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fintelligence Calculator
CVE-2025-9859
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9858 - Auto Bulb Finder For Wp Wc Plugin
The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Auto Bulb Finder For Wp Wc
CVE-2025-9858
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9884 - Mobile Site Redirect Plugin
The Mobile Site Redirect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mobile Site Redirect
CVE-2025-9884
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9885 - Create Mercado Pago Payment Links Plugin
The MPWizard – Create Mercado Pago Payment Links plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation in the '/includes/admin/class-mpwizard-table.php' file. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Create Mercado Pago Payment Links
CVE-2025-9885
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9854 - A Simple Multilanguage Plugin
The A Simple Multilanguage Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'asmp-switcher' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
A Simple Multilanguage
CVE-2025-9854
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9372 - Ultimate Multi Design Video Carousel Plugin
The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Ultimate Multi Design Video Carousel
CVE-2025-9372
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9333 - Smart Docs Plugin
The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Smart Docs
CVE-2025-9333
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9630 - Wp Sinotype Plugin
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Sinotype
CVE-2025-9630
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9206 - Meks Easy Maps Plugin
The Meks Easy Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title field in all version up to, and including, 2.1.4. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the map containing the malicious post.
PLUGIN
Meks Easy Maps
CVE-2025-9206
Risk Score