Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-26
CVE-2024-8860 - Tourfic Plugin
The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively.
PLUGIN
Tourfic
CVE-2024-8860
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-8562 - Custom Query Shortcode Plugin
The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
PLUGIN
Custom Query Shortcode
CVE-2025-8562
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-8208 - Sastra Essential Addons For Elementor Plugin
The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sastra Essential Addons For Elementor
CVE-2025-8208
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-9131 - Ogulo 360 Tour Plugin
The Ogulo – 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ogulo 360 Tour
CVE-2025-9131
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-8062 - Ws Theme Addons Plugin
The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ws Theme Addons
CVE-2025-8062
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7957 - Shortcodehub Plugin
The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_link_target’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodehub
CVE-2025-7957
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7842 - External Rss Reader Plugin
The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
External Rss Reader
CVE-2025-7842
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7841 - Sertifier Certificates Open Badges Plugin
The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Sertifier Certificates Open Badges
CVE-2025-7841
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7821 - Wc Plus Plugin
The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base.
PLUGIN
Wc Plus
CVE-2025-7821
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7839 - Restore Permanently Delete Post Or Page Data Plugin
The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Restore Permanently Delete Post Or Page Data
CVE-2025-7839
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7828 - Wp Filter Combine Rss Feeds Plugin
The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.
PLUGIN
Wp Filter Combine Rss Feeds
CVE-2025-7828
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-7827 - Ni Woocommerce Customer Product Report Plugin
The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.
PLUGIN
Ni Woocommerce Customer Product Report
CVE-2025-7827
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-9331 - Spacious Theme
The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.
THEME
Spacious
CVE-2025-9331
Risk Score
Threat Entry
Updated 2025-08-25
CVE-2025-8678 - Wp Crontrol Plugin
The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Wp Crontrol
CVE-2025-8678
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-8064 - Bible Supersearch Plugin
The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bible Supersearch
CVE-2025-8064
Risk Score
Threat Entry
Updated 2025-08-22
CVE-2025-8607 - WordPress Core
The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CORE
WordPress Core
CVE-2025-8607
Risk Score
Threat Entry
Updated 2025-12-03
CVE-2025-7221 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.
PLUGIN
Givewp
CVE-2025-7221
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8102 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Digital Downloads
CVE-2025-8102
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-9202 - Colormag Theme
The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the ThemeGrill Demo Importer plugin.
THEME
Colormag
CVE-2025-9202
Risk Score
Threat Entry
Updated 2025-08-20
CVE-2025-8618 - Woo Smart Quick View Plugin
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woosq_btn shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woo Smart Quick View
CVE-2025-8618
Risk Score