Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-08
CVE-2025-12355 - Payaza Plugin
The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses.
PLUGIN
Payaza
CVE-2025-12355
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12186 - Weekly Planner Plugin
The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Weekly Planner
CVE-2025-12186
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12373 - Smart Shipping And Delivery Portal For E Shops And Retailers Plugin
The Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Smart Shipping And Delivery Portal For E Shops And Retailers
CVE-2025-12373
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12354 - Live Css Preview Plugin
The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting.
PLUGIN
Live Css Preview
CVE-2025-12354
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12093 - Voidek Employee Portal Plugin
The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal.
PLUGIN
Voidek Employee Portal
CVE-2025-12093
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13860 - Easy Jump Links Menus Plugin
The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Jump Links Menus
CVE-2025-13860
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13625 - Wp Sos Donate Plugin
The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Wp Sos Donate
CVE-2025-13625
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13623 - Twitscription Plugin
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Twitscription
CVE-2025-13623
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13622 - Jabberbenachrichtigung Plugin
The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Jabberbenachrichtigung
CVE-2025-13622
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13621 - Dream Gallery Plugin
The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Dream Gallery
CVE-2025-13621
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12368 - Sermon Manager For Wordpress Plugin
The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sermon Manager For Wordpress
CVE-2025-12368
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13512 - Cosign Sso Plugin
The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cosign Sso
CVE-2025-13512
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13528 - Feedback Modal For Website Plugin
The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the 'export_data' parameter.
PLUGIN
Feedback Modal For Website
CVE-2025-13528
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13360 - Tw Image Hover Share Plugin
The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tw Image Hover Share
CVE-2025-13360
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13144 - Contentstudio Plugin
The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Contentstudio
CVE-2025-13144
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12370 - Monetize Link Plugin
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options.
PLUGIN
Monetize Link
CVE-2025-12370
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12163 - Omnipress Plugin
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Omnipress
CVE-2025-12163
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12191 - Pdf Catalog For Woocommerce Plugin
The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pdf Catalog For Woocommerce
CVE-2025-12191
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12190 - Image Optimizer Wpssk Plugin
The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Image Optimizer Wpssk
CVE-2025-12190
Risk Score
Threat Entry
Updated 2025-12-17
CVE-2025-12189 - Bread And Butter Plugin
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bread And Butter
CVE-2025-12189
Risk Score