Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-14028 - Contact Us Simple Form Plugin
The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contact Us Simple Form
CVE-2025-14028
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-14077 - Simcast Plugin
The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simcast
CVE-2025-14077
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13990 - Mamurjor Employee Info Plugin
The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mamurjor Employee Info
CVE-2025-13990
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13887 - Ai Botkit For Lead Generation Plugin
The AI BotKit – AI Chatbot & Live Support for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the `ai_botkit_widget` shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ai Botkit For Lead Generation
CVE-2025-13887
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13849 - Cool Yt Player Plugin
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cool Yt Player
CVE-2025-13849
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13848 - Stm Gallery Plugin
The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stm Gallery
CVE-2025-13848
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13847 - Photofade Plugin
The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Photofade
CVE-2025-13847
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13841 - Smart App Banners Plugin
The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smart App Banners
CVE-2025-13841
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13974 - Email Customizer For Woocommerce Plugin
The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute when customers view transactional emails. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Email Customizer For Woocommerce
CVE-2025-13974
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13667 - Wp Recipe Manager Plugin
The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Manager
CVE-2025-13667
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13531 - Stylish Order Form Builder Plugin
The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stylish Order Form Builder
CVE-2025-13531
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13722 - Conversational Form Builder Plugin
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder.
PLUGIN
Conversational Form Builder
CVE-2025-13722
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13694 - Aa Block Country Plugin
The AA Block Country plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.0.1. This is due to the plugin trusting user-supplied headers such as HTTP_X_FORWARDED_FOR to determine the client's IP address without proper validation or considering if the server is behind a trusted proxy. This makes it possible for unauthenticated attackers to bypass IP-based access restrictions by spoofing their IP address via the X-Forwarded-For header.
PLUGIN
Aa Block Country
CVE-2025-13694
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13529 - Unify Plugin
The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter.
PLUGIN
Unify
CVE-2025-13529
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13657 - Helpdesk Contact Form Plugin
The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Helpdesk Contact Form
CVE-2025-13657
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13497 - Recras Wordpress Plugin
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Recras Wordpress
CVE-2025-13497
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13519 - Svg Map By Saedi Plugin
The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Svg Map By Saedi
CVE-2025-13519
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13496 - Moosend Landing Pages Plugin
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the 'moosend_landing_api_key' option value.
PLUGIN
Moosend Landing Pages
CVE-2025-13496
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13527 - Xshare Plugin
The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Xshare
CVE-2025-13527
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13521 - Wp Change Status Notifier Plugin
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Change Status Notifier
CVE-2025-13521
Risk Score