Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2025-13652 - Favorite Plugin
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Favorite
CVE-2025-13652
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-11723 - Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticated attackers to generate a valid token across sites running the plugin that have not manually set a salt in the wp-config.php file and access booking information that will allow them to make modifications.
PLUGIN
Simply Schedule Appointments Booking
CVE-2025-11723
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13746 - Discussion Board Plugin
The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Discussion Board
CVE-2025-13746
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-13409 - Form Vibes Plugin
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Form Vibes
CVE-2025-13409
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-11370 - Post Slider Carousel Plugin
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
PLUGIN
Post Slider Carousel
CVE-2025-11370
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21675 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21675
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21673 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21673
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21674 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21674
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-15364 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change user's passwords, except administrators, and leverage that to gain access to their account.
PLUGIN
Download Manager
CVE-2025-15364
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21507 - iccDEV Plugin
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
PLUGIN
iccDEV
CVE-2026-21507
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-21439 - Badkeys Plugin
badkeys is a tool and library for checking cryptographic public keys for known vulnerabilities. In versions 0.0.15 and below, an attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys (both --dkim and --dkim-dns), SSH keys (--ssh-lines mode), and filenames in various modes. This issue is fixed in version 0.0.16.
PLUGIN
Badkeys
CVE-2026-21439
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0607 - Online Music Site Plugin
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminViewSongs.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.
PLUGIN
Online Music Site
CVE-2026-0607
Risk Score
Threat Entry
Updated 2026-01-12
CVE-2026-0606 - Online Music Site Plugin
A vulnerability was detected in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /FrontEnd/Albums.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
PLUGIN
Online Music Site
CVE-2026-0606
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2026-0625 - DIR-600 Plugin
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed…
PLUGIN
DIR-600
CVE-2026-0625
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-0621 - MCP TypeScript SDK Plugin
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
PLUGIN
MCP TypeScript SDK
CVE-2026-0621
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0605 - Online Music Site Plugin
A security vulnerability has been detected in code-projects Online Music Site 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. Such manipulation of the argument username/password leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
PLUGIN
Online Music Site
CVE-2026-0605
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-21633 - UniFi Protect Application Plugin
A malicious actor with access to the adjacent network could obtain unauthorized access to a UniFi Protect Camera by exploiting a discovery protocol vulnerability in the Unifi Protect Application (Version 6.1.79 and earlier). Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later.
PLUGIN
UniFi Protect Application
CVE-2026-21633
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-21634 - UniFi Protect Application Plugin
A malicious actor with access to the adjacent network could overflow the UniFi Protect Application (Version 6.1.79 and earlier) discovery protocol causing it to restart. Affected Products: UniFi Protect Application (Version 6.1.79 and earlier). Mitigation: Update your UniFi Protect Application to Version 6.2.72 or later.
PLUGIN
UniFi Protect Application
CVE-2026-21634
Risk Score
Threat Entry
Updated 2026-01-30
CVE-2026-21635 - UniFi Connect EV Station Lite Plugin
An Improper Access Control could allow a malicious actor in Wi-Fi range to the EV Station Lite (v1.5.2 and earlier) to use WiFi AutoLink feature on a device that was only adopted via Ethernet.
PLUGIN
UniFi Connect EV Station Lite
CVE-2026-21635
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2026-0597 - Supplier Management System Plugin
A flaw has been found in Campcodes Supplier Management System 1.0. Affected by this issue is some unknown functionality of the file /retailer/edit_profile.php. This manipulation of the argument txtRetailerAddress causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
PLUGIN
Supplier Management System
CVE-2026-0597
Risk Score