Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-16
CVE-2026-21429 - Emlog Plugin
Emlog is an open source website building system. In version 2.5.23, the admin can set controls which makes users unable to edit or delete their articles after publishing them. As of time of publication, no known patched versions are available.
PLUGIN
Emlog
CVE-2026-21429
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2026-0568 - Online Music Site Plugin
A flaw has been found in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Frontend/ViewSongs.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.
PLUGIN
Online Music Site
CVE-2026-0568
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0567 - Content Management System Plugin
A vulnerability was detected in code-projects Content Management System 1.0. The affected element is an unknown function of the file /pages.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.
PLUGIN
Content Management System
CVE-2026-0567
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0566 - Content Management System Plugin
A security vulnerability has been detected in code-projects Content Management System 1.0. Impacted is an unknown function of the file /admin/edit_posts.php. The manipulation of the argument image leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
PLUGIN
Content Management System
CVE-2026-0566
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-0565 - Content Management System Plugin
A weakness has been identified in code-projects Content Management System 1.0. This issue affects some unknown processing of the file /admin/delete.php. Executing a manipulation of the argument del can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
PLUGIN
Content Management System
CVE-2026-0565
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0547 - Online Course Registration Plugin
A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.
PLUGIN
Online Course Registration
CVE-2026-0547
Risk Score
Threat Entry
Updated 2026-01-15
CVE-2026-0546 - Content Management System Plugin
A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
PLUGIN
Content Management System
CVE-2026-0546
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-12685 - Through 1 Plugin
The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.
PLUGIN
Through 1
CVE-2025-12685
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13456 - Before 3 Plugin
The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Before 3
CVE-2025-13456
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-13153 - Before 4 Plugin
The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 4
CVE-2025-13153
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-14072 - Before 3 Plugin
The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.
PLUGIN
Before 3
CVE-2025-14072
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14998 - Branda White Labeling Plugin
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Branda White Labeling
CVE-2025-14998
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14047 - Wp User Frontend Plugin
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
PLUGIN
Wp User Frontend
CVE-2025-14047
Risk Score
Threat Entry
Updated 2026-01-06
CVE-2026-21428 - Cpp Httplib Plugin
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the ``write_headers`` function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add extra headers, modify request body unexpectedly & trigger an SSRF attack. When combined with a server that supports http1.1 pipelining (springboot, python twisted etc), this can be used for server side request forgery (SSRF). Version 0.30.0 fixes this issue.
PLUGIN
Cpp Httplib
CVE-2026-21428
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21436 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21436
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2026-21437 - Eopkg Plugin
eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could include files that are not tracked by `eopkg`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be shown by `lseopkg` and related tools. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.
PLUGIN
Eopkg
CVE-2026-21437
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14627 - For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To Plugin
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform…
PLUGIN
For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To
CVE-2025-14627
Risk Score
Threat Entry
Updated 2026-01-02
CVE-2025-14428 - Mystickyelements Plugin
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
PLUGIN
Mystickyelements
CVE-2025-14428
Risk Score
Threat Entry
Updated 2026-01-06
CVE-2026-0544 - School Management System Plugin
A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
PLUGIN
School Management System
CVE-2026-0544
Risk Score
Threat Entry
Updated 2026-01-05
CVE-2025-13820 - Before 7 Plugin
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
PLUGIN
Before 7
CVE-2025-13820
Risk Score