Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-13
CVE-2025-8280 - Contact Form 7 Captcha Plugin
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Contact Form 7 Captcha
CVE-2025-8280
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9881 - Ultimate Blogroll Plugin
The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ultimate Blogroll
CVE-2025-9881
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9880 - Side Slide Responsive Menu Plugin
The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Side Slide Responsive Menu
CVE-2025-9880
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9879 - Spotify Embed Creator Plugin
The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spotify Embed Creator
CVE-2025-9879
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9877 - Embed Google Data Studio Plugin
The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embed Google Data Studio
CVE-2025-9877
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9861 - Themeloom Widgets Plugin
The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'los_showposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Themeloom Widgets
CVE-2025-9861
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9860 - Mixtape Plugin
The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mixtape
CVE-2025-9860
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9855 - Enhanced Bibliplug Plugin
The Enhanced BibliPlug plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bibliplug_authors' shortcode in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Enhanced Bibliplug
CVE-2025-9855
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9850 - Evenium Plugin
The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium_single_event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Evenium
CVE-2025-9850
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9635 - Analytics Unbounce Plugin
The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for unauthenticated attackers to modify Google Analytics tracking settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Analytics Unbounce
CVE-2025-9635
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9634 - Plugin Update Blocker
The Plugin updates blocker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the pub_save action handler. This makes it possible for unauthenticated attackers to disable or enable plugin updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Plugin Update Blocker
CVE-2025-9634
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9633 - Lh Signing Plugin
The LH Signing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.83. This is due to missing or incorrect nonce validation on the plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Lh Signing
CVE-2025-9633
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9632 - Phplist Subber Plugin
The PhpList Subber plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the bulk_action_handler function. This makes it possible for unauthenticated attackers to trigger bulk synchronization of subscription forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Phplist Subber
CVE-2025-9632
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9620 - Seo Monster Plugin
The Seo Monster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.3. This is due to missing or incorrect nonce validation on the check_integration() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Seo Monster
CVE-2025-9620
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9617 - Publish Approval Plugin
The Publish approval plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the publish_save_option function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Publish Approval
CVE-2025-9617
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9631 - Autocatset Plugin
The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated attackers to trigger automatic recategorization of posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Autocatset
CVE-2025-9631
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9628 - Leads For Amo Crm Plugin
The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for unauthenticated attackers to modify critical API connection settings including the AMO.CRM API URL, login credentials, and API hash key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Leads For Amo Crm
CVE-2025-9628
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9627 - Run Log Plugin
The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl_plugin_options function. This makes it possible for unauthenticated attackers to modify plugin settings including distance units, pace display preferences, style themes, and display positions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Run Log
CVE-2025-9627
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9623 - Admin In English With Switch Plugin
The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enable_eng function. This makes it possible for unauthenticated attackers to modify administrator language settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Admin In English With Switch
CVE-2025-9623
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9451 - Smartcat Wpml Plugin
The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.69 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Smartcat Wpml
CVE-2025-9451
Risk Score