Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-11
CVE-2025-5096 - Tablepress Plugin
The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tablepress
CVE-2025-5096
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4594 - Tournamatch Plugin
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tournamatch
CVE-2025-4594
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4405 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hot Random Image
CVE-2025-4405
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4419 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
PLUGIN
Hot Random Image
CVE-2025-4419
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-9544 - Mapsvg Plugin
The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Mapsvg
CVE-2024-9544
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4133 - Before 8 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.
PLUGIN
Before 8
CVE-2025-4133
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2025-5062 - Woocommerce Plugin
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce
CVE-2025-5062
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4611 - Automated Wordpress Seo Plugin
The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Automated Wordpress Seo
CVE-2025-4611
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4221 - Animated Buttons Plugin
The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Animated Buttons
CVE-2025-4221
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4219 - Dpepress Plugin
The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dpepress
CVE-2025-4219
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4217 - Wp Youtube Video Optimizer Plugin
The WP YouTube Video Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ib_youtube' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Youtube Video Optimizer
CVE-2025-4217
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4105 - Splitit Installment Payments Plugin
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
PLUGIN
Splitit Installment Payments
CVE-2025-4105
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3781 - Raisely Donation Form Plugin
The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Raisely Donation Form
CVE-2025-3781
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3750 - Network Posts Extended Plugin
The Network Posts Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_height’ parameter in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Network Posts Extended
CVE-2025-3750
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-12561 - Affiliate Sales In Google Analytics And Other Tools Plugin
The Affiliate Sales in Google Analytics and other tools plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.4.9. This is due to insufficient validation on the redirect url supplied via the 'afflink' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Affiliate Sales In Google Analytics And Other Tools
CVE-2024-12561
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-5878 - Nextgen Gallery Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nextgen Gallery
CVE-2024-5878
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-46262 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zack Katz Mad Mimi for WordPress allows Stored XSS.This issue affects Mad Mimi for WordPress: from n/a through 1.5.1.
CORE
WordPress Core
CVE-2025-46262
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-39376 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs Car Park Booking System for WordPress.This issue affects Car Park Booking System for WordPress: from n/a through 2.6.
CORE
WordPress Core
CVE-2025-39376
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39353 - Grand Restaurant Plugin
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39353
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39351 - Grand Restaurant Plugin
Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Restaurant WordPress allows Cross Site Request Forgery.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39351
Risk Score