Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-08
CVE-2025-12165 - Webcake Plugin
The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.
PLUGIN
Webcake
CVE-2025-12165
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12124 - Fitvids For Wordpress Plugin
The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fitvids For Wordpress
CVE-2025-12124
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12133 - Eprolo Dropshipping Plugin
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data.
PLUGIN
Eprolo Dropshipping
CVE-2025-12133
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12128 - Hide Categories Or Products On Shop Page Plugin
The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Hide Categories Or Products On Shop Page
CVE-2025-12128
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-10055 - Time Sheets Plugin
The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Time Sheets
CVE-2025-10055
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13494 - Ssp Debugging Plugin
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths.
PLUGIN
Ssp Debugging
CVE-2025-13494
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13362 - Norby Ai Plugin
The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Norby Ai
CVE-2025-13362
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13312 - Crm Memberships Plugin
The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags and modify CRM configuration that should be restricted to administrators.
PLUGIN
Crm Memberships
CVE-2025-13312
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13006 - Surveyfunnel Lite Plugin
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensitive data from survey responses.
PLUGIN
Surveyfunnel Lite
CVE-2025-13006
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12417 - Surveyfunnel Lite Plugin
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Surveyfunnel Lite
CVE-2025-12417
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12804 - Booking Calendar Plugin
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booking Calendar
CVE-2025-12804
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-11759 - Restore And Migrate Your Sites With Xcloner Plugin
The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and…
PLUGIN
Restore And Migrate Your Sites With Xcloner
CVE-2025-11759
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-12826 - Custom Post Type Ui Plugin
The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for authenticated attackers, with subscriber level access and above, to add, edit, or delete custom post types in limited situations.
PLUGIN
Custom Post Type Ui
CVE-2025-12826
Risk Score
Threat Entry
Updated 2025-12-11
CVE-2025-12782 - Beaver Builder Plugin
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, with contributor level access and above, to disable the Beaver Builder layout on arbitrary posts and pages, causing content integrity issues and layout disruption on those pages.
PLUGIN
Beaver Builder
CVE-2025-12782
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13513 - Clik Stats Plugin
The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Clik Stats
CVE-2025-13513
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-11379 - Webp Express Plugin
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
PLUGIN
Webp Express
CVE-2025-11379
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13401 - Autoptimize Plugin
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Autoptimize
CVE-2025-13401
Risk Score
Threat Entry
Updated 2025-12-04
CVE-2025-13756 - Fluent Booking Plugin
The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them.
PLUGIN
Fluent Booking
CVE-2025-13756
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-13359 - Taxopress Plugin
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox…
PLUGIN
Taxopress
CVE-2025-13359
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-13354 - Taxopress Plugin
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.
PLUGIN
Taxopress
CVE-2025-13354
Risk Score