Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-23
CVE-2025-12398 - Product Table For Woocommerce Plugin
The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Product Table For Woocommerce
CVE-2025-12398
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-14071 - Free Wordpress Website Builder Plugin
The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.2 via deserialization of untrusted input in the dslc_module_posts_output shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an…
PLUGIN
Free Wordpress Website Builder
CVE-2025-14071
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14080 - Frontend Post Submission Manager Lite Plugin
The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.
PLUGIN
Frontend Post Submission Manager Lite
CVE-2025-14080
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14043 - Tainacan Plugin
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.
PLUGIN
Tainacan
CVE-2025-14043
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14054 - Wc Builder Plugin
The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wc Builder
CVE-2025-14054
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-12980 - Postx Plugin
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
PLUGIN
Postx
CVE-2025-12980
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-13838 - Wishsuite Plugin
The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wishsuite
CVE-2025-13838
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-11496 - Wordpress Booking Plugin
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wordpress Booking
CVE-2025-11496
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-7782 - Wp Jobhunt Plugin
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user.
PLUGIN
Wp Jobhunt
CVE-2025-7782
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-7733 - Wp Jobhunt Plugin
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
PLUGIN
Wp Jobhunt
CVE-2025-7733
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14298 - Ajax Search For Woocommerce Plugin
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars"…
PLUGIN
Ajax Search For Woocommerce
CVE-2025-14298
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-12492 - Ultimate Member Plugin
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predictable low-entropy token (5 hex characters derived from md5 of post ID) to identify member directories and insufficient authorization checks on the unauthenticated AJAX endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, display names, user roles (including administrator accounts), profile…
PLUGIN
Ultimate Member
CVE-2025-12492
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-13619 - Flex Store Users Plugin
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can be exploited with the 'fs_type' parameter if the Flex Store Seller plugin is also activated.
PLUGIN
Flex Store Users
CVE-2025-13619
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-12820 - Pure Wc Variation Swatches Plugin
The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them.
PLUGIN
Pure Wc Variation Swatches
CVE-2025-12820
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14721 - Responsive And Swipe Slider Plugin
The Responsive and Swipe slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rsSlider shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Responsive And Swipe Slider
CVE-2025-14721
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14734 - Afiliados De Amazon Lite Plugin
The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Afiliados De Amazon Lite
CVE-2025-14734
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14633 - F70 Lead Document Download Plugin
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
PLUGIN
F70 Lead Document Download
CVE-2025-14633
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-14735 - Afiliados De Amazon Lite Plugin
The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Afiliados De Amazon Lite
CVE-2025-14735
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-13329 - File Uploader For Woocommerce Plugin
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible.
PLUGIN
File Uploader For Woocommerce
CVE-2025-13329
Risk Score
Threat Entry
Updated 2025-12-23
CVE-2025-13624 - Overstock Affiliate Links Plugin
The Overstock Affiliate Links plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Overstock Affiliate Links
CVE-2025-13624
Risk Score