Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-06
CVE-2025-11241 - Yoast Seo Premium Plugin
The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused to inject arbitrary HTML attributes, including JavaScript event handlers. This vulnerability allows a user with Contributor access or higher to create a post containing a malicious JavaScript payload.
PLUGIN
Yoast Seo Premium
CVE-2025-11241
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-9512 - Before 1 Plugin
The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.
PLUGIN
Before 1
CVE-2025-9512
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-9075 - Zoloblocks Plugin
The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google Maps markers, Lightbox captions, Image Gallery data attributes, Progress Pie prefix/suffix fields, and Text Path URL fields. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zoloblocks
CVE-2025-9075
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-10744 - Softdiscover Db File Manager Plugin
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view information like full paths and full paths to backup files information contained in the exposed log files.
PLUGIN
Softdiscover Db File Manager
CVE-2025-10744
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-10735 - Block For Mailchimp Plugin
The Block For Mailchimp – Easy Mailchimp Form Integration plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.12 via the mcbSubmit_Form_Data(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Block For Mailchimp
CVE-2025-10735
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-9852 - Momoyoga Integration Plugin
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Momoyoga Integration
CVE-2025-9852
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-9946 - Lockerpress Wordpress Security Plugin
The LockerPress – WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Lockerpress Wordpress Security
CVE-2025-9946
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-9948 - Chat By Chatwee Plugin
The Chat by Chatwee plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on the admin settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Chat By Chatwee
CVE-2025-9948
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8777 - Planetcalc Plugin
The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Planetcalc
CVE-2025-8777
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8624 - Nexa Blocks Plugin
The Nexa Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Google Maps widget in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nexa Blocks
CVE-2025-8624
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8623 - Weedmaps Menu Embed Plugin
The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmaps_menu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Weedmaps Menu Embed
CVE-2025-8623
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8559 - All In One Music Player Plugin
The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
PLUGIN
All In One Music Player
CVE-2025-8559
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8608 - Mihdan Elementor Yandex Maps Plugin
The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mihdan Elementor Yandex Maps
CVE-2025-8608
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8566 - Gutenbee Plugin
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via parameters in the CountUp and Google Maps Blocks in all versions up to, and including, 2.18.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenbee
CVE-2025-8566
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8560 - Fancytabs Plugin
The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fancytabs
CVE-2025-8560
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-8214 - Pack Addon Plugin
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pack Addon
CVE-2025-8214
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-6941 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_resources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2025-6941
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-6815 - Latepoint Plugin
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘service[name]’ parameter in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Latepoint
CVE-2025-6815
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-11163 - Smartcrawl Seo Plugin
The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's setttings.
PLUGIN
Smartcrawl Seo
CVE-2025-11163
Risk Score
Threat Entry
Updated 2025-10-02
CVE-2025-10196 - Survey Anyplace Plugin
The Survey Anyplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'surveyanyplace_embed' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Survey Anyplace
CVE-2025-10196
Risk Score