Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-13520 - For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To Plugin
The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings, including sensitive values like the private key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To
CVE-2025-13520
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13418 - Dk Pricr Responsive Pricing Table Plugin
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'plan_icons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dk Pricr Responsive Pricing Table
CVE-2025-13418
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13369 - Woo Customers Manager Plugin
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Woo Customers Manager
CVE-2025-13369
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13419 - Wp Front User Submit Plugin
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments.
PLUGIN
Wp Front User Submit
CVE-2025-13419
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12648 - Wp Members Plugin
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files//) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
PLUGIN
Wp Members
CVE-2025-12648
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12449 - Wordpress Gutenberg Blocks Plugin
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services.
PLUGIN
Wordpress Gutenberg Blocks
CVE-2025-12449
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12540 - Googleanalytics Plugin
The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an administrator logged into the website and Google Analytics to click the link.
PLUGIN
Googleanalytics
CVE-2025-12540
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-12030 - Acf To Rest Api Plugin
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id}…
PLUGIN
Acf To Rest Api
CVE-2025-12030
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-31051 - Allows Retrieve Embedded Sensitive Data Theme
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0.
THEME
Allows Retrieve Embedded Sensitive Data
CVE-2025-31051
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21492 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21492
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21494 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21494
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21491 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21491
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21490 - iccDEV Plugin
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
PLUGIN
iccDEV
CVE-2026-21490
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0641 - WA300 Plugin
A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
PLUGIN
WA300
CVE-2026-0641
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-69331 - WordPress Core
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through
CORE
WordPress Core
CVE-2025-69331
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21493 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21493
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21489 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21489
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2026-21488 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2.
PLUGIN
iccDEV
CVE-2026-21488
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-9637 - Quiz Master Next Plugin
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.
PLUGIN
Quiz Master Next
CVE-2025-9637
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-9318 - Quiz Master Next Plugin
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Quiz Master Next
CVE-2025-9318
Risk Score