Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-01
CVE-2025-4567 - Post Slider And Post Carousel With Post Vertical Scrolling Widget Plugin
The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Post Slider And Post Carousel With Post Vertical Scrolling Widget
CVE-2025-4567
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3584 - Before 8 Plugin
The Newsletter WordPress plugin before 8.8.2 does not sanitise and escape some of its Subscription settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 8
CVE-2025-3584
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-2939 - Ninja Tables Plugin
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
PLUGIN
Ninja Tables
CVE-2025-2939
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-4047 - Broken Link Checker Plugin
The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajax_full_status and ajax_dashboard_status functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view the plugin's status.
PLUGIN
Broken Link Checker
CVE-2025-4047
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3919 - Comments Import Export Woocommerce Plugin
The WordPress Comments Import & Export plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings function in all versions up to, and including, 2.4.3. Additionally, the plugin fails to properly sanitize and escape FTP settings parameters. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts on the plugin settings page that will execute whenever an administrative user accesses an injected page. The vulnerability was partially fixed in version 2.4.3 and fully fixed…
PLUGIN
Comments Import Export Woocommerce
CVE-2025-3919
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-1485 - Eprivacy Cookie Consent Plugin
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Eprivacy Cookie Consent
CVE-2025-1485
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-3951 - Before 4 Plugin
The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.
PLUGIN
Before 4
CVE-2025-3951
Risk Score
Threat Entry
Updated 2026-01-23
CVE-2025-4691 - Easync Plugin
The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
PLUGIN
Easync
CVE-2025-4691
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-5290 - Elementor Addons And Templates Plugin
The Borderless – Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor Addons And Templates
CVE-2025-5290
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-3813 - Royal Elementor Addons Plugin
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2025-3813
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-5292 - Widgets And Woocommerce Builder Plugin
The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content’ parameter in all versions up to, and including, 5.11.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widgets And Woocommerce Builder
CVE-2025-5292
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-5285 - Product Subtitle For Woocommerce Plugin
The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Product Subtitle For Woocommerce
CVE-2025-5285
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-4595 - Fastspring Plugin
The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fastspring
CVE-2025-4595
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-4590 - Daisycon Plugin
The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Daisycon
CVE-2025-4590
Risk Score
Threat Entry
Updated 2025-06-02
CVE-2025-5016 - A Better Search Plugin
The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
A Better Search
CVE-2025-5016
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-4597 - Woo Slider Pro Drag Drop Slider Builder For Woocommerce Plugin
The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
PLUGIN
Woo Slider Pro Drag Drop Slider Builder For Woocommerce
CVE-2025-4597
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-4944 - Lastudio Element Kit Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lastudio Element Kit
CVE-2025-4944
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5235 - Opensheetmusicdisplay Plugin
The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Opensheetmusicdisplay
CVE-2025-5235
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5142 - Simple Page Access Restriction Plugin
The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31. This is due to missing nonce validation and capability checks in the settings save handler in the settings.php script. This makes it possible for unauthenticated attackers to (1) enable or disable access protection on all post types or taxonomies, (2) force every new page/post to be public or private, regardless of meta-box settings, (3) cause a silent wipe of all plugin data when it’s later removed, or (4)…
PLUGIN
Simple Page Access Restriction
CVE-2025-5142
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-5236 - Chat For Telegram Plugin
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Chat For Telegram
CVE-2025-5236
Risk Score