Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-0927 - Kivicare Clinic Management System Plugin
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.
PLUGIN
Kivicare Clinic Management System
CVE-2026-0927
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14069 - Schema And Structured Data For Wp Plugin
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Schema And Structured Data For Wp
CVE-2025-14069
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15522 - Uncanny Automator Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.
PLUGIN
Uncanny Automator
CVE-2025-15522
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24389 - Gallery PhotoBlocks Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS.This issue affects Gallery PhotoBlocks: from n/a through
PLUGIN
Gallery PhotoBlocks
CVE-2026-24389
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-24383 - B Slider Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through
PLUGIN
B Slider
CVE-2026-24383
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24384 - Merge + Minify + Refresh Plugin
Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through
PLUGIN
Merge + Minify + Refresh
CVE-2026-24384
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24381 - PhotoMe Plugin
Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery.This issue affects PhotoMe: from n/a through < 5.7.2.
PLUGIN
PhotoMe
CVE-2026-24381
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24388 - WPMasterToolKit Plugin
Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPMasterToolKit: from n/a through
PLUGIN
WPMasterToolKit
CVE-2026-24388
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24387 - WP Quick Post Duplicator Plugin
Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through
PLUGIN
WP Quick Post Duplicator
CVE-2026-24387
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24386 - Elementor Plugin
Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24386
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24374 - RegistrationMagic Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery.This issue affects RegistrationMagic: from n/a through
PLUGIN
RegistrationMagic
CVE-2026-24374
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24366 - WooCommerce Plugin
Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through
PLUGIN
WooCommerce
CVE-2026-24366
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24361 - LearnPress – Course Review Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS.This issue affects LearnPress – Course Review: from n/a through
PLUGIN
LearnPress – Course Review
CVE-2026-24361
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-24354 - Penci Shortcodes & Performance Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS.This issue affects Penci Shortcodes & Performance: from n/a through
PLUGIN
Penci Shortcodes & Performance
CVE-2026-24354
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24365 - WooCommerce Plugin
Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.
PLUGIN
WooCommerce
CVE-2026-24365
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24355 - Houzez Theme - Functionality
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality allows Stored XSS.This issue affects Houzez Theme - Functionality: from n/a through
THEME
Houzez Theme - Functionality
CVE-2026-24355
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24360 - Seriously Simple Podcasting Plugin
Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery.This issue affects Seriously Simple Podcasting: from n/a through
PLUGIN
Seriously Simple Podcasting
CVE-2026-24360
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22483 - teachPress Plugin
Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery.This issue affects teachPress: from n/a through
PLUGIN
teachPress
CVE-2026-22483
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-22463 - Form to Chat App Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through
PLUGIN
Form to Chat App
CVE-2026-22463
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-22469 - DeepDigital Plugin
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through
PLUGIN
DeepDigital
CVE-2026-22469
Risk Score