Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-26
CVE-2025-14029 - Community Events Plugin
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.
PLUGIN
Community Events
CVE-2025-14029
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12825 - User Registration Using Contact Form 7 Plugin
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.
PLUGIN
User Registration Using Contact Form 7
CVE-2025-12825
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12168 - Phrase Tms Integration For Wordpress Plugin
The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
PLUGIN
Phrase Tms Integration For Wordpress
CVE-2025-12168
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0820 - Computer Repair Shop Plugin
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.
PLUGIN
Computer Repair Shop
CVE-2026-0820
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14463 - Wp Paypal Plugin
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation.…
PLUGIN
Wp Paypal
CVE-2025-14463
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-13725 - Thim Blocks Plugin
The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.
PLUGIN
Thim Blocks
CVE-2025-13725
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14450 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.
PLUGIN
Wallet System For Woocommerce
CVE-2025-14450
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12718 - Quick Contact Form Plugin
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
PLUGIN
Quick Contact Form
CVE-2025-12718
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14075 - Wp Hotel Booking Plugin
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
PLUGIN
Wp Hotel Booking
CVE-2025-14075
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14632 - Filr Protection Plugin
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
PLUGIN
Filr Protection
CVE-2025-14632
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12002 - Feeds For Youtube Plugin
The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version…
PLUGIN
Feeds For Youtube
CVE-2025-12002
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-0518 - Secure Access Plugin
CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console.
PLUGIN
Secure Access
CVE-2026-0518
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-0519 - Secure Access Plugin
In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.
PLUGIN
Secure Access
CVE-2026-0519
Risk Score
Threat Entry
Updated 2026-02-02
CVE-2026-0517 - Secure Access Plugin
CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash
PLUGIN
Secure Access
CVE-2026-0517
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-23643 - Cakephp Plugin
CakePHP is a rapid development framework for PHP. The PaginatorHelper::limitControl() method has a cross-site-scripting vulnerability via query string parameter manipulation. This issue has been fixed in 5.2.12 and 5.3.1.
PLUGIN
Cakephp
CVE-2026-23643
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23730 - WeGIA Plugin
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
PLUGIN
WeGIA
CVE-2026-23730
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23729 - WeGIA Plugin
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarDescricao and nomeClasse=ProdutoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
PLUGIN
WeGIA
CVE-2026-23729
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23731 - WeGIA Plugin
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, The web application is vulnerable to clickjacking attacks. The WeGIA application does not send any defensive HTTP headers related to framing protection. In particular, X-Frame-Options is missing andContent-Security-Policy with frame-ancestors directive is not configured. Because of this, an attacker can load any WeGIA page inside a malicious HTML document, overlay deceptive elements, hide real buttons, or force accidental interaction with sensitive workflows. This vulnerability is fixed in 3.6.2.
PLUGIN
WeGIA
CVE-2026-23731
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23725 - WeGIA Plugin
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/pet/adotantes/cadastro_adotante.php and html/pet/adotantes/informacao_adotantes.php endpoint of the WeGIA application. The application does not sanitize user-controlled input before rendering it inside the Adopters Information table, allowing persistent JavaScript injection. Any user who visits the page will have the payload executed automatically. This vulnerability is fixed in 3.6.2.
PLUGIN
WeGIA
CVE-2026-23725
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-23728 - WeGIA Plugin
WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=DestinoControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.
PLUGIN
WeGIA
CVE-2026-23728
Risk Score