Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-22
CVE-2025-58669 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration allows Stored XSS. This issue affects Magento 2 WordPress Integration: from n/a through 1.4.1.
CORE
WordPress Core
CVE-2025-58669
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-58665 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmontg1 Form Generator for WordPress allows Stored XSS. This issue affects Form Generator for WordPress: from n/a through 1.5.2.
CORE
WordPress Core
CVE-2025-58665
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-58020 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress allows Stored XSS. This issue affects Theater for WordPress: from n/a through 0.18.8.
CORE
WordPress Core
CVE-2025-58020
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-57989 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brajesh Singh WordPress Widgets Shortcode allows Stored XSS. This issue affects WordPress Widgets Shortcode: from n/a through 1.0.3.
CORE
WordPress Core
CVE-2025-57989
Risk Score
Threat Entry
Updated 2025-10-24
CVE-2025-57923 - Exposes The Api Key Plugin
An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2.
PLUGIN
Exposes The Api Key
CVE-2025-57923
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9115 - Before 3 Plugin
The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Before 3
CVE-2025-9115
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9541 - Markup Markdown Plugin
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Markup Markdown
CVE-2025-9541
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9540 - Markup Markdown Plugin
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Markup Markdown
CVE-2025-9540
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9487 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads
PLUGIN
Before 7
CVE-2025-9487
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9883 - Browser Sniff Plugin
The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Browser Sniff
CVE-2025-9883
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9882 - Osticket Wp Bridge Plugin
The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Osticket Wp Bridge
CVE-2025-9882
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9887 - Custom Login And Signup Widget Plugin
The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Custom Login And Signup Widget
CVE-2025-9887
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10658 - Customer Support Ticket System Plugin
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
PLUGIN
Customer Support Ticket System
CVE-2025-10658
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10181 - Simple Draft List Plugin
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Draft List
CVE-2025-10181
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10305 - Secure Passkeys Plugin
The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
PLUGIN
Secure Passkeys
CVE-2025-10305
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10489 - Conversational Forms And More Plugin
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
PLUGIN
Conversational Forms And More
CVE-2025-10489
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9949 - Seo Automated Link Building Plugin
The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Seo Automated Link Building
CVE-2025-9949
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10002 - Link Pages Plugin
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be…
PLUGIN
Link Pages
CVE-2025-10002
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10652 - Robcore Netatmo Plugin
The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘module_id’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Robcore Netatmo
CVE-2025-10652
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-10146 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Download Manager
CVE-2025-10146
Risk Score