Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-19
CVE-2025-8487 - Kubio Ai Page Builder Plugin
The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin.
PLUGIN
Kubio Ai Page Builder
CVE-2025-8487
Risk Score
Threat Entry
Updated 2025-09-18
CVE-2025-9992 - Extensions Plugin
The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Extensions
CVE-2025-9992
Risk Score
Threat Entry
Updated 2025-09-18
CVE-2025-10493 - Chained Quiz Plugin
The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.
PLUGIN
Chained Quiz
CVE-2025-10493
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-8999 - Sydney Theme
The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.
THEME
Sydney
CVE-2025-8999
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9565 - Blocksy Companion Plugin
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blocksy Companion
CVE-2025-9565
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9215 - More Plugin
The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
More
CVE-2025-9215
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9203 - Media Player Addons For Elementor Plugin
The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Media Player Addons For Elementor
CVE-2025-9203
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-10042 - Quiz Maker Plugin
The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like…
PLUGIN
Quiz Maker
CVE-2025-10042
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10188 - Hackrepair Plugin Archiver
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the bulk_remove() function. This makes it possible for unauthenticated attackers to arbitrary directory deletion in /wp-content via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Hackrepair Plugin Archiver
CVE-2025-10188
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10125 - Memberlite Shortcodes Plugin
The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Memberlite Shortcodes
CVE-2025-10125
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9891 - User Sync Plugin
The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
User Sync
CVE-2025-9891
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10166 - Social Media Shortcodes Plugin
The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twitter' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Social Media Shortcodes
CVE-2025-10166
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-9851 - Appointmind Plugin
The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Appointmind
CVE-2025-9851
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-8394 - Productive Style Plugin
The Productive Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_productive_breadcrumb shortcode in all versions up to, and including, 1.1.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Productive Style
CVE-2025-8394
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9629 - Uss Upyun Plugin
The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Uss Upyun
CVE-2025-9629
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10050 - Developer Loggers For Simple History Plugin
The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Developer Loggers For Simple History
CVE-2025-10050
Risk Score
Threat Entry
Updated 2025-09-16
CVE-2025-8446 - Blaze Demo Importer Plugin
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
PLUGIN
Blaze Demo Importer
CVE-2025-8446
Risk Score
Threat Entry
Updated 2025-09-16
CVE-2025-9808 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues.
PLUGIN
The Events Calendar
CVE-2025-9808
Risk Score
Threat Entry
Updated 2026-02-13
CVE-2025-8280 - Contact Form 7 Captcha Plugin
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Contact Form 7 Captcha
CVE-2025-8280
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9881 - Ultimate Blogroll Plugin
The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ultimate Blogroll
CVE-2025-9881
Risk Score