Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-12
CVE-2025-13747 - Newstatpress Plugin
The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newstatpress
CVE-2025-13747
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13320 - Wp User Manager Plugin
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting…
PLUGIN
Wp User Manager
CVE-2025-13320
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13440 - Premmerce Woocommerce Wishlist Plugin
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
PLUGIN
Premmerce Woocommerce Wishlist
CVE-2025-13440
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13408 - Media Optimize Images Plugin
The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Media Optimize Images
CVE-2025-13408
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13366 - Rabbit Hole Plugin
The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags…
PLUGIN
Rabbit Hole
CVE-2025-13366
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13363 - Imaq Core Plugin
The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imaq Core
CVE-2025-13363
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12830 - Better Elementor Addons Plugin
The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Better Elementor Addons
CVE-2025-12830
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12834 - Accept Stripe Payments Using Contact Form 7 Plugin
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Accept Stripe Payments Using Contact Form 7
CVE-2025-12834
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13314 - Filter Plus Plugin
The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
PLUGIN
Filter Plus
CVE-2025-13314
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12883 - Campay Api Plugin
The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.
PLUGIN
Campay Api
CVE-2025-12883
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12783 - Premmerce Woocommerce Brands Plugin
The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.
PLUGIN
Premmerce Woocommerce Brands
CVE-2025-12783
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12650 - Simple Post Listing Plugin
The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
PLUGIN
Simple Post Listing
CVE-2025-12650
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13839 - Ljusers Plugin
The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ljusers
CVE-2025-13839
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14293 - Wp Job Portal Plugin
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp Job Portal
CVE-2025-14293
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-9436 - Wp Reviews Plugin For Google
The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `trustindex` shortcode in all versions up to, and including, 13.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Reviews Plugin For Google
CVE-2025-9436
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-10163 - List Category Posts Plugin
The List category posts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘starting_with’ parameter of the catlist shortcode in all versions up to, and including, 0.91.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
List Category Posts
CVE-2025-10163
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-11467 - Feedzy Rss Feeds Plugin
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Feedzy Rss Feeds
CVE-2025-11467
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13677 - Simple Download Counter Plugin
The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality…
PLUGIN
Simple Download Counter
CVE-2025-13677
Risk Score
Threat Entry
Updated 2025-12-09
CVE-2025-13924 - For Woocommerce Plugin
The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the 'maybe_duplicate' function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
For Woocommerce
CVE-2025-13924
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-67559 - Online Booking Scheduling Calendar Plugin
Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through
PLUGIN
Online Booking Scheduling Calendar
CVE-2025-67559
Risk Score