Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-03
CVE-2025-15525 - Ajax Load More Plugin
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.
PLUGIN
Ajax Load More
CVE-2025-15525
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2025-15510 - Nex Forms Express Wp Form Builder Plugin
The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.
PLUGIN
Nex Forms Express Wp Form Builder
CVE-2025-15510
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1060 - WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer Plugin
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
PLUGIN
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer
CVE-2026-1060
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14795 - Stop Spammer Registrations Plugin
The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
PLUGIN
Stop Spammer Registrations
CVE-2025-14795
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14865 - Content Protector Plugin
The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.
PLUGIN
Content Protector
CVE-2025-14865
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1391 - Vzaar Media Management Plugin
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Vzaar Media Management
CVE-2026-1391
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1399 - WP Google Ad Manager Plugin
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
WP Google Ad Manager Plugin
CVE-2026-1399
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1398 - Change Wp Url Plugin
The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Change Wp Url
CVE-2026-1398
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1380 - Bitcoin Donate Button Plugin
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bitcoin Donate Button
CVE-2026-1380
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1377 - Imwptip Plugin
The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imwptip
CVE-2026-1377
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-15511 - Rupantorpay Plugin
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
PLUGIN
Rupantorpay
CVE-2025-15511
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14616 - Recooty Plugin
The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Recooty
CVE-2025-14616
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14283 - Blockart Blocks Plugin
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blockart Blocks
CVE-2025-14283
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14063 - Seo Links Interlinking Plugin
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seo Links Interlinking
CVE-2025-14063
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1381 - Order Minimum Amount For Woocommerce Plugin
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Order Minimum Amount For Woocommerce
CVE-2026-1381
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1053 - Add Search To Menu Plugin
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Add Search To Menu
CVE-2026-1053
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1389 - Document Embedder – Embed PDFs, Word, Excel, and Other Files Plugin
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
PLUGIN
Document Embedder – Embed PDFs, Word, Excel, and Other Files
CVE-2026-1389
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1054 - Custom Registration Form Builder With Submission Manager Plugin
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
PLUGIN
Custom Registration Form Builder With Submission Manager
CVE-2026-1054
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1295 - Buy Now Plus Plugin
The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Buy Now Plus
CVE-2026-1295
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1244 - Forms Bridge Plugin
The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forms Bridge
CVE-2026-1244
Risk Score