Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-19
CVE-2025-31915 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Cross Site Request Forgery. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.
CORE
WordPress Core
CVE-2025-31915
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2025-3516 - Simple Lightbox Plugin
The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Simple Lightbox
CVE-2025-3516
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2025-3201 - Drop For Wordpress Plugin
The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
PLUGIN
Drop For Wordpress
CVE-2025-3201
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4169 - Unmaintained Plugin
The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unmaintained
CVE-2025-4169
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2248 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Wp Pmanager
CVE-2025-2248
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2203 - Before 3 Plugin
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-2203
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2247 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Pmanager
CVE-2025-2247
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-1303 - Plugin Oficial
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Plugin Oficial
CVE-2025-1303
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1288 - Wooexim Plugin
The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.
PLUGIN
Wooexim
CVE-2025-1288
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1286 - Download Html Tinymce Button Plugin
The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Download Html Tinymce Button
CVE-2025-1286
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1454 - Ninja Pages Plugin
The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ninja Pages
CVE-2025-1454
Risk Score
Threat Entry
Updated 2025-08-01
CVE-2025-1289 - Plugin Oficial
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Plugin Oficial
CVE-2025-1289
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-1033 - Badgearoo Plugin
The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Badgearoo
CVE-2025-1033
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9765 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory
PLUGIN
Ekc Tournament Manager
CVE-2024-9765
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0688 - Spiritual Gifts Survey And Optional S H A P E Survey Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Spiritual Gifts Survey And Optional S H A P E Survey
CVE-2025-0688
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-0687 - Spiritual Gifts Survey And Optional S H A P E Survey Plugin
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
PLUGIN
Spiritual Gifts Survey And Optional S H A P E Survey
CVE-2025-0687
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9879 - Melapress File Monitor Plugin
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Melapress File Monitor
CVE-2024-9879
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2024-9838 - Auto Affiliate Links Plugin
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Auto Affiliate Links
CVE-2024-9838
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9711 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Ekc Tournament Manager
CVE-2024-9711
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-9709 - Ekc Tournament Manager Plugin
The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Ekc Tournament Manager
CVE-2024-9709
Risk Score