Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-14
CVE-2026-22195 - GestSup Plugin
GestSup versions prior to 3.2.60 contain a SQL injection vulnerability in the search bar functionality. User-controlled search input is incorporated into SQL queries without sufficient neutralization, allowing an authenticated attacker to manipulate database queries. Successful exploitation can result in unauthorized access to or modification of database contents depending on database privileges.
PLUGIN
GestSup
CVE-2026-22195
Risk Score
Threat Entry
Updated 2026-02-10
CVE-2026-0817 - MediaWiki - CampaignEvents extension Plugin
Missing Authorization vulnerability in Wikimedia Foundation MediaWiki - CampaignEvents extension allows Privilege Abuse.This issue affects MediaWiki - CampaignEvents extension: 1.45, 1.44, 1.43, 1.39.
PLUGIN
MediaWiki - CampaignEvents extension
CVE-2026-0817
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0803 - Online Course Registration System Plugin
A vulnerability was found in PHPGurukul Online Course Registration System up to 3.1. This affects an unknown part of the file /enroll.php. The manipulation of the argument studentregno/Pincode/session/department/level/course/sem results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
PLUGIN
Online Course Registration System
CVE-2026-0803
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22082 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22082
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22081 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies transmitted over an insecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unau-thorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22081
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-14172 - Change Wp Page Permalinks Plugin
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.
PLUGIN
Change Wp Page Permalinks
CVE-2025-14172
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13967 - Woodpecker For Wordpress Plugin
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woodpecker For Wordpress
CVE-2025-13967
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13908 - The Tooltip Plugin
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Tooltip
CVE-2025-13908
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13903 - Pullquote Plugin
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pullquote
CVE-2025-13903
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13897 - Wp Client Testimonial Plugin
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page.
PLUGIN
Wp Client Testimonial
CVE-2025-13897
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13862 - Menu Card Plugin
The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Menu Card
CVE-2025-13862
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13854 - Curved Text Plugin
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Curved Text
CVE-2025-13854
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13893 - Lesson Plan Book Plugin
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Lesson Plan Book
CVE-2025-13893
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13892 - Mg Advancedoptions Plugin
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mg Advancedoptions
CVE-2025-13892
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13852 - Debtcom Business In A Box Plugin
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Debtcom Business In A Box
CVE-2025-13852
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13704 - Autogen Headers Menu Plugin
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Autogen Headers Menu
CVE-2025-13704
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13701 - Shabat Keeper Plugin
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Shabat Keeper
CVE-2025-13701
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-13717 - Contact Form Vcard Generator Plugin
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
PLUGIN
Contact Form Vcard Generator
CVE-2025-13717
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2025-11453 - Header And Footer Scripts Plugin
The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Header And Footer Scripts
CVE-2025-11453
Risk Score
Threat Entry
Updated 2026-01-13
CVE-2026-22080 - 300Mbps Wireless Router F3 and N300 Easy Setup Router Plugin
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the transmission of credentials encoded using reversible Base64 encoding through the web-based administrative interface. An attacker on the same network could exploit this vulnerability by intercepting network traffic and capturing the Base64-encoded credentials. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information and gain unauthorized access to the targeted device.
PLUGIN
300Mbps Wireless Router F3 and N300 Easy Setup Router
CVE-2026-22080
Risk Score