Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1075 - Zt Captcha Plugin
The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zt Captcha
CVE-2026-1075
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1070 - User Counter Plugin
The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
User Counter
CVE-2026-1070
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14985 - Alpha Blocks Plugin
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Alpha Blocks
CVE-2025-14985
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14941 - Gzseo Plugin
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page.
PLUGIN
Gzseo
CVE-2025-14941
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14843 - Wizit Gateway For Woocommerce Plugin
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID.
PLUGIN
Wizit Gateway For Woocommerce
CVE-2025-14843
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14906 - Wp Youtube Video Gallery Plugin
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Youtube Video Gallery
CVE-2025-14906
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14903 - Simple Crypto Shortcodes Plugin
The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Crypto Shortcodes
CVE-2025-14903
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-13676 - Justclick Subscriber Plugin
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Justclick Subscriber
CVE-2025-13676
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14797 - Same Category Posts Plugin
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Same Category Posts
CVE-2025-14797
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14629 - Alchemist Ajax Upload Plugin
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments.
PLUGIN
Alchemist Ajax Upload
CVE-2025-14629
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14609 - Wise Analytics Plugin
The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the 'name' parameter granted they can send unauthenticated requests.
PLUGIN
Wise Analytics
CVE-2025-14609
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12836 - Vk Google Job Posting Manager Plugin
The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Vk Google Job Posting Manager
CVE-2025-12836
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14947 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim's account, provided they can obtain a valid nonce which is exposed in public player templates.
PLUGIN
All In One Video Gallery
CVE-2025-14947
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24634 - Ultimate Reviews Plugin
Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Reviews: from n/a through
PLUGIN
Ultimate Reviews
CVE-2026-24634
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24636 - Sugar Calendar (Lite Plugin
Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through
PLUGIN
Sugar Calendar (Lite
CVE-2026-24636
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24630 - Stylish Cost Calculator Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS.This issue affects Stylish Cost Calculator: from n/a through
PLUGIN
Stylish Cost Calculator
CVE-2026-24630
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24632 - Delay Redirects Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS.This issue affects Delay Redirects: from n/a through
PLUGIN
Delay Redirects
CVE-2026-24632
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24629 - Web Accessibility with Max Access Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS.This issue affects Web Accessibility with Max Access: from n/a through
PLUGIN
Web Accessibility with Max Access
CVE-2026-24629
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24631 - Rosebud Plugin
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rosebud: from n/a through
PLUGIN
Rosebud
CVE-2026-24631
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24633 - Add Expires Headers & Optimized Minify Plugin
Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Expires Headers & Optimized Minify: from n/a through
PLUGIN
Add Expires Headers & Optimized Minify
CVE-2026-24633
Risk Score