Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-09
CVE-2025-1769 - Product Import Export For Woocommerce Plugin
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Product Import Export For Woocommerce
CVE-2025-1769
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1312 - Ultimate Blocks – WordPress Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks – WordPress Blocks Plugin
CVE-2025-1312
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13411 - For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To Plugin
The Zapier for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.1 via the updated_user() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
PLUGIN
For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To
CVE-2024-13411
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1703 - Ultimate Blocks – WordPress Blocks Plugin
The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks – WordPress Blocks Plugin
CVE-2025-1703
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-1439 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2025-1439
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-1440 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.
PLUGIN
Advanced Iframe
CVE-2025-1440
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1310 - Job Postings Plugin
The Jobs for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.7.11 via the 'job_postings_get_file' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Job Postings
CVE-2025-1310
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-1437 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2025-1437
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2167 - Event Post Plugin
The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Event Post
CVE-2025-2167
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-13702 - Crm And Lead Management By Vcita Plugin
The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Crm And Lead Management By Vcita
CVE-2024-13702
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1784 - Spectra – WordPress Gutenberg Blocks Plugin
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra – WordPress Gutenberg Blocks
CVE-2025-1784
Risk Score
Threat Entry
Updated 2025-06-25
CVE-2024-11847 - Wp Svg Upload Plugin
The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
PLUGIN
Wp Svg Upload
CVE-2024-11847
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2576 - Ayyash Studio — The kick-start kit Theme
The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
THEME
Ayyash Studio — The kick-start kit
CVE-2025-2576
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2573 - Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) Plugin
The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer)
CVE-2025-2573
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2165 - Sh Email Alert Plugin
The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Sh Email Alert
CVE-2025-2165
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1490 - Smart Maintenance Mode Plugin
The Smart Maintenance Mode plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘setstatus’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Smart Maintenance Mode
CVE-2025-1490
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2302 - Advanced Woo Search Plugin
The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aws_search_terms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Woo Search
CVE-2025-2302
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2276 - Ultimate Dashboard – Custom WordPress Dashboard Plugin
The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.
PLUGIN
Ultimate Dashboard – Custom WordPress Dashboard
CVE-2025-2276
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2109 - Wp Compress Plugin
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
PLUGIN
Wp Compress
CVE-2025-2109
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2542 - Your Simple Svg Support Plugin
The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Your Simple Svg Support
CVE-2025-2542
Risk Score