Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-12
CVE-2025-14165 - Kirimemail Woocommerce Integration Plugin
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Kirimemail Woocommerce Integration
CVE-2025-14165
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14143 - Ayo Shortcodes Plugin
The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ayo Shortcodes
CVE-2025-14143
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14138 - Wplg Default Mail From Plugin
The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wplg Default Mail From
CVE-2025-14138
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14162 - Bmlt Wordpress Satellite Plugin
The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bmlt Wordpress Satellite
CVE-2025-14162
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14161 - Truefy Embed Plugin
The Truefy Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'truefy_embed_options_update' settings update action. This makes it possible for unauthenticated attackers to update the plugin's settings, including the API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Truefy Embed
CVE-2025-14161
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14160 - Upcoming For Calendly Plugin
The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Upcoming For Calendly
CVE-2025-14160
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14158 - Coding Blocks Plugin
The Coding Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update plugin settings including the theme configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Coding Blocks
CVE-2025-14158
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14064 - Buddytask Plugin
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.
PLUGIN
Buddytask
CVE-2025-14064
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14119 - App Template Blocks For Wpbakery Page Builder Plugin
The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
App Template Blocks For Wpbakery Page Builder
CVE-2025-14119
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14137 - Simple Al Slider Plugin
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Al Slider
CVE-2025-14137
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14132 - Dropdown Category List Plugin
The Category Dropdown List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Dropdown Category List
CVE-2025-14132
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14129 - Like Dislike Voting Plugin
The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Like Dislike Voting
CVE-2025-14129
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14125 - Omplag Plugin
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Omplag
CVE-2025-14125
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14032 - Bold Timeline Lite Plugin
The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'bold_timeline_group' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Timeline Lite
CVE-2025-14032
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14048 - Simplyconvert Plugin
The SimplyConvert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'simplyconvert_hash' option in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simplyconvert
CVE-2025-14048
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14035 - Debatemaster Plugin
The DebateMaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color options in the plugin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the debate shortcode. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Debatemaster
CVE-2025-14035
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14062 - Animated Pixel Marquee Creator Plugin
The Animated Pixel Marquee Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery via the 'marquee' parameter in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the marquee deletion function. This makes it possible for unauthenticated attackers to delete arbitrary marquees via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Animated Pixel Marquee Creator
CVE-2025-14062
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-14045 - Url Media Uploader Plugin
The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files.
PLUGIN
Url Media Uploader
CVE-2025-14045
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13989 - Wp Dropzone Plugin
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'callback' attributes, which are evaluated as JavaScript code via the `new Function()` constructor. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Dropzone
CVE-2025-13989
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13988 - Comments Secretary Plugin
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the `$_SERVER['PHP_SELF']` variable in the plugin's settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Comments Secretary
CVE-2025-13988
Risk Score