Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-18
CVE-2025-5998 - Password Protect Wordpress Plugin
The PPWP – Password Protect Pages WordPress plugin before version 1.9.11 allows to put the site content behind a password authorization, however users with subscriber or greater roles can view content via the REST API.
PLUGIN
Password Protect Wordpress
CVE-2025-5998
Risk Score
Threat Entry
Updated 2026-01-16
CVE-2025-8046 - Injection Guard Plugin
The Injection Guard WordPress plugin before 1.2.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers
PLUGIN
Injection Guard
CVE-2025-8046
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2025-7808 - Before 1 Plugin
The WP Shopify WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Before 1
CVE-2025-7808
Risk Score
Threat Entry
Updated 2025-08-14
CVE-2025-6790 - Before 10 Plugin
The Quiz and Survey Master (QSM) WordPress plugin before 10.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
PLUGIN
Before 10
CVE-2025-6790
Risk Score
Threat Entry
Updated 2025-08-14
CVE-2025-3414 - Before 1 Plugin
The Structured Content (JSON-LD) #wpsc WordPress plugin before 1.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 1
CVE-2025-3414
Risk Score
Threat Entry
Updated 2025-12-18
CVE-2025-8891 - Oceanwp Plugin
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Oceanwp
CVE-2025-8891
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-8491 - Easy Pdf Restaurant Menu Upload Plugin
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Pdf Restaurant Menu Upload
CVE-2025-8491
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-0818 - File Manager Advanced Plugin
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
PLUGIN
File Manager Advanced
CVE-2025-0818
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8874 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2025-8874
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8767 - Anwp Football Leagues Plugin
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Anwp Football Leagues
CVE-2025-8767
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8482 - Simple Local Avatars Plugin
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
PLUGIN
Simple Local Avatars
CVE-2025-8482
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8081 - Website Builder Plugin
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Website Builder
CVE-2025-8081
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8314 - Software Issue Manager Plugin
The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Software Issue Manager
CVE-2025-8314
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8690 - Addi Simple Slider Plugin
The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addi Simple Slider
CVE-2025-8690
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8688 - Inline Stock Quotes Plugin
The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Inline Stock Quotes
CVE-2025-8688
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8685 - Wp Chart Generator Plugin
The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Chart Generator
CVE-2025-8685
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8621 - Mosaic Generator Plugin
The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mosaic Generator
CVE-2025-8621
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8568 - Gmap Venturit Plugin
The GMap Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘h’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gmap Venturit
CVE-2025-8568
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8462 - Rt Easy Builder Advanced Addons For Elementor Plugin
The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social URL parameter in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rt Easy Builder Advanced Addons For Elementor
CVE-2025-8462
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4390 - Wp Private Content Plus Plugin
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.
PLUGIN
Wp Private Content Plus
CVE-2025-4390
Risk Score