Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-11
CVE-2025-9776 - Tame Your Wordpress Media Library By Category Plugin
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tame Your Wordpress Media Library By Category
CVE-2025-9776
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9979 - Contact Forms Anti Spam Plugin
The Maspik plugin for WordPress is vulnerable to Missing Authorization in version 2.5.6 and prior. This is due to missing capability checks on the Maspik_spamlog_download_csv function. This makes it possible for authenticated attackers, with subscriber-level access and above, to export and download the spam log database containing blocked submission attempts, which may include misclassified but legitimate submissions with sensitive data.
PLUGIN
Contact Forms Anti Spam
CVE-2025-9979
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9463 - Peachpay For Woocommerce Plugin
The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.117.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Peachpay For Woocommerce
CVE-2025-9463
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9857 - Heateor Login Plugin
The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Heateor Login
CVE-2025-9857
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9367 - Usc E Shop Plugin
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Usc E Shop
CVE-2025-9367
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9888 - Contact Forms Anti Spam Plugin
The Maspik – Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Contact Forms Anti Spam
CVE-2025-9888
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9622 - Performance Booster Plugin
The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on multiple administrative actions in the Settings class. This makes it possible for unauthenticated attackers to trigger cache purging, sitemap clearing, plugin data purging, and score resetting operations via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Performance Booster
CVE-2025-9622
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-7826 - Indianic Testimonial Plugin
The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Indianic Testimonial
CVE-2025-7826
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-7843 - Auto Save Remote Images Drafts Plugin
The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Auto Save Remote Images Drafts
CVE-2025-7843
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8778 - Nitropack Plugin
The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the nitropack-enableCompression option and effectively change plugin compression settings.
PLUGIN
Nitropack
CVE-2025-8778
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-6189 - Duplicate Wp Page Post Plugin
The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Duplicate Wp Page Post
CVE-2025-6189
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10126 - Mybrain Utilities Plugin
The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mybrain Utilities
CVE-2025-10126
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-10142 - Pagbank Connect Plugin
The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Pagbank Connect
CVE-2025-10142
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8388 - Powerpack Lite For Elementor Plugin
The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor_url’ parameter in all versions up to, and including, 2.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Powerpack Lite For Elementor
CVE-2025-8388
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-58978 - WordPress Core
Missing Authorization vulnerability in WP Swings PDF Generator for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Generator for WordPress: from n/a through 1.5.4.
CORE
WordPress Core
CVE-2025-58978
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9542 - Custom Integrations In Wordpress Plugin
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple plugin's functions in all versions up to, and including, 5.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify integration settings or view existing automations.
PLUGIN
Custom Integrations In Wordpress
CVE-2025-9542
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9061 - Wilmer Core Plugin
The Wilmer Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wilmer Core
CVE-2025-9061
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9058 - Mikado Core Plugin
The Mikado Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mikado Core
CVE-2025-9058
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9489 - Wp Members Plugin
The The WP-Members Membership Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Wp Members
CVE-2025-9489
Risk Score
Threat Entry
Updated 2025-09-08
CVE-2025-10046 - Elex Woocommerce Google Product Feed Plugin Basic
The ELEX WooCommerce Google Shopping (Google Product Feed) plugin for WordPress is vulnerable to SQL Injection via the 'file_to_delete' parameter in all versions up to, and including, 1.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Elex Woocommerce Google Product Feed Plugin Basic
CVE-2025-10046
Risk Score