Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-08
CVE-2025-12368 - Sermon Manager For Wordpress Plugin
The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sermon Manager For Wordpress
CVE-2025-12368
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13512 - Cosign Sso Plugin
The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cosign Sso
CVE-2025-13512
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13528 - Feedback Modal For Website Plugin
The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to export all feedback data in CSV or JSON format via the 'export_data' parameter.
PLUGIN
Feedback Modal For Website
CVE-2025-13528
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13360 - Tw Image Hover Share Plugin
The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tw Image Hover Share
CVE-2025-13360
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13144 - Contentstudio Plugin
The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Contentstudio
CVE-2025-13144
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12370 - Monetize Link Plugin
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options.
PLUGIN
Monetize Link
CVE-2025-12370
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12181 - Contentstudio Plugin
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Contentstudio
CVE-2025-12181
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12163 - Omnipress Plugin
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Omnipress
CVE-2025-12163
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12191 - Pdf Catalog For Woocommerce Plugin
The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pdf Catalog For Woocommerce
CVE-2025-12191
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12190 - Image Optimizer Wpssk Plugin
The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Image Optimizer Wpssk
CVE-2025-12190
Risk Score
Threat Entry
Updated 2025-12-17
CVE-2025-12189 - Bread And Butter Plugin
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bread And Butter
CVE-2025-12189
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12165 - Webcake Plugin
The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings.
PLUGIN
Webcake
CVE-2025-12165
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12154 - Auto Thumbnailer Plugin
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Auto Thumbnailer
CVE-2025-12154
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12153 - Featured Image Via Url Plugin
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Featured Image Via Url
CVE-2025-12153
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12124 - Fitvids For Wordpress Plugin
The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fitvids For Wordpress
CVE-2025-12124
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12133 - Eprolo Dropshipping Plugin
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data.
PLUGIN
Eprolo Dropshipping
CVE-2025-12133
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-12128 - Hide Categories Or Products On Shop Page Plugin
The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Hide Categories Or Products On Shop Page
CVE-2025-12128
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-10055 - Time Sheets Plugin
The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Time Sheets
CVE-2025-10055
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13494 - Ssp Debugging Plugin
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths.
PLUGIN
Ssp Debugging
CVE-2025-13494
Risk Score
Threat Entry
Updated 2025-12-08
CVE-2025-13362 - Norby Ai Plugin
The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Norby Ai
CVE-2025-13362
Risk Score