Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-12
CVE-2025-13840 - Bukazu Search Widget Plugin
The BUKAZU Search widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode' parameter of the 'bukazu_search' shortcode in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bukazu Search Widget
CVE-2025-13840
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13747 - Newstatpress Plugin
The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newstatpress
CVE-2025-13747
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13334 - Blaze Demo Importer Plugin
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.
PLUGIN
Blaze Demo Importer
CVE-2025-13334
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13320 - Wp User Manager Plugin
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting…
PLUGIN
Wp User Manager
CVE-2025-13320
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13440 - Premmerce Woocommerce Wishlist Plugin
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
PLUGIN
Premmerce Woocommerce Wishlist
CVE-2025-13440
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13408 - Media Optimize Images Plugin
The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Media Optimize Images
CVE-2025-13408
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13366 - Rabbit Hole Plugin
The Rabbit Hole plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the plugin's reset functionality. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability is exacerbated by the fact that the reset operation is performed via a GET request, making exploitation trivial via image tags…
PLUGIN
Rabbit Hole
CVE-2025-13366
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13363 - Imaq Core Plugin
The IMAQ Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the URL structure settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's URL structure settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imaq Core
CVE-2025-13363
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12963 - Lazytasks Project Task Management Plugin
The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also…
PLUGIN
Lazytasks Project Task Management
CVE-2025-12963
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12968 - Infility Global Plugin
The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Infility Global
CVE-2025-12968
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12830 - Better Elementor Addons Plugin
The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Better Elementor Addons
CVE-2025-12830
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12834 - Accept Stripe Payments Using Contact Form 7 Plugin
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Accept Stripe Payments Using Contact Form 7
CVE-2025-12834
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13314 - Filter Plus Plugin
The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
PLUGIN
Filter Plus
CVE-2025-13314
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12883 - Campay Api Plugin
The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.
PLUGIN
Campay Api
CVE-2025-12883
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12824 - Player Leaderboard Plugin
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain…
PLUGIN
Player Leaderboard
CVE-2025-12824
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12783 - Premmerce Woocommerce Brands Plugin
The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.
PLUGIN
Premmerce Woocommerce Brands
CVE-2025-12783
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-12650 - Simple Post Listing Plugin
The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
PLUGIN
Simple Post Listing
CVE-2025-12650
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13886 - Lt Unleashed Plugin
The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included.
PLUGIN
Lt Unleashed
CVE-2025-13886
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-13839 - Ljusers Plugin
The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ljusers
CVE-2025-13839
Risk Score
Threat Entry
Updated 2025-12-12
CVE-2025-14293 - Wp Job Portal Plugin
The WP Job Portal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.4.0 via the 'downloadCustomUploadedFile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp Job Portal
CVE-2025-14293
Risk Score