Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-06-04
CVE-2025-4431 - Featured Image Plus Plugin
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update featured image of any post.
PLUGIN
Featured Image Plus
CVE-2025-4431
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-4943 - Element Kit For Elementor Plugin
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-lakit-element-link’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Element Kit For Elementor
CVE-2025-4943
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-5259 - Minimal Share Buttons Plugin
The Minimal Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Minimal Share Buttons
CVE-2025-5259
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4429 - Gearside Developer Dashboard Plugin
The Gearside Developer Dashboard WordPress plugin through 1.0.72 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Gearside Developer Dashboard
CVE-2025-4429
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2025-4659 - Ninja Forms Plugin
The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
PLUGIN
Ninja Forms
CVE-2025-4659
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-5286 - Bold Page Builder Plugin
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘additional_settings’ parameter in all versions up to, and including, 5.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Page Builder
CVE-2025-5286
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-5122 - Map Block Leaflet Plugin
The Map Block Leaflet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Map Block Leaflet
CVE-2025-5122
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4670 - Easy Digital Downloads Plugin
The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edd_receipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Digital Downloads
CVE-2025-4670
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-4583 - Instagram Feed Plugin
The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-plugin` attribute in all versions up to, and including, 6.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Instagram Feed
CVE-2025-4583
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4963 - Wpextended Plugin
The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wpextended
CVE-2025-4963
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5082 - Wp Attachments Plugin
The WP Attachments plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attachment_id’ parameter in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Attachments
CVE-2025-5082
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3704 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DBAR Productions Volunteer Sign Up Sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a before 5.5.5. The patch is available exclusively on GitHub at https://github.com/dbarproductions/pta-volunteer-sign-up-sheets , as the vendor encounters difficulties using SVN to deploy to the WordPress.org repository.
CORE
WordPress Core
CVE-2025-3704
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-4683 - Mstore Api Plugin
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
PLUGIN
Mstore Api
CVE-2025-4683
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4682 - Essential Blocks Plugin
The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML attributes in Slider and Post Carousel widgets in all versions up to, and including, 5.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Blocks
CVE-2025-4682
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4783 - Exclusive Addons For Elementor Plugin
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML attributes of the Countdown Timer Widget in all versions up to, and including, 2.7.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Exclusive Addons For Elementor
CVE-2025-4783
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-4223 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘login_url’ parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. A valid username/password pair needs to be supplied in order to be successfully exploited and any injected scripts…
PLUGIN
Drag And Drop Website Builder
CVE-2025-4223
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4602 - Emagicone Store Manager For Woocommerce Plugin
The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Reads in all versions up to, and including, 1.2.5 via the get_file() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.
PLUGIN
Emagicone Store Manager For Woocommerce
CVE-2025-4602
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-5055 - Smart Forms Plugin
The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Smart Forms
CVE-2025-5055
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-13427 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 1.9.9 and completely fixed in version 2.0.1.
PLUGIN
Drag And Drop Website Builder
CVE-2024-13427
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3869 - 4stats Plugin
The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
4stats
CVE-2025-3869
Risk Score