Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-18
CVE-2025-12457 - Enable Svg Webp Ico Upload Plugin
The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Enable Svg Webp Ico Upload
CVE-2025-12457
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12088 - Meta Display Block Plugin
The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Meta Display Block
CVE-2025-12088
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12392 - Triplea Cryptocurrency Payment Gateway For Woocommerce Plugin
The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking.
PLUGIN
Triplea Cryptocurrency Payment Gateway For Woocommerce
CVE-2025-12392
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12391 - Bp Restrict Plugin
The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking.
PLUGIN
Bp Restrict
CVE-2025-12391
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12481 - Wp Duplicate Page Plugin
The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
PLUGIN
Wp Duplicate Page
CVE-2025-12481
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12079 - Twitter Auto Publish Plugin
The WP Twitter Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Twitter Auto Publish
CVE-2025-12079
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-11734 - Monitor Internal And External Links Plugin
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary…
PLUGIN
Monitor Internal And External Links
CVE-2025-11734
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-8609 - Rometheme For Elementor Plugin
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rometheme For Elementor
CVE-2025-8609
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-8605 - Gutenify Plugin
The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenify
CVE-2025-8605
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-9625 - Coil Web Monetization Plugin
The Coil Web Monetization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the coil-get-css-selector parameter handling in the maybe_restrict_content function. This makes it possible for unauthenticated attackers to trigger CSS selector detection functionality via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Coil Web Monetization
CVE-2025-9625
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-13088 - Category And Product Woocommerce Tabs Plugin
The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server.
PLUGIN
Category And Product Woocommerce Tabs
CVE-2025-13088
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12937 - Acf Flexible Layouts Manager Plugin
The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.
PLUGIN
Acf Flexible Layouts Manager
CVE-2025-12937
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12962 - Local Syndication Plugin
The Local Syndication plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5a via the `url` parameter in the `[syndicate_local]` shortcode. This is due to the use of `wp_remote_get()` instead of `wp_safe_remote_get()` which lacks protections against requests to internal/private IP addresses and localhost. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services, scan internal networks, and…
PLUGIN
Local Syndication
CVE-2025-12962
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12823 - Csv To Sorttable Plugin
The CSV to SortTable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csv' shortcode in all versions up to, and including, 4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Csv To Sorttable
CVE-2025-12823
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12961 - Download Panel Plugin
The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wp_ajax_save_settings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the `dlpn_save_settings()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to arbitrarily modify plugin settings including display text, download links, button colors, and other visual customizations.
PLUGIN
Download Panel
CVE-2025-12961
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12827 - Top Friends Plugin
The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Top Friends
CVE-2025-12827
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12775 - Wp Dropzone Plugin
The WP Dropzone plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 1.1.0 via the `ajax_upload_handle` function. This is due to the chunked upload functionality writing files directly to the uploads directory before any file type validation occurs. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wp Dropzone
CVE-2025-12775
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12528 - Pie Forms For Wp Plugin
The Pie Forms for WP plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.6 via the format_classic function. This is due to insufficient file type validation where the validate_classic method validates file extensions and sets error messages but does not prevent the file upload process from continuing. This makes it possible for unauthenticated attackers to upload files with dangerous extensions such as PHP, which makes remote code execution possible. In order to exploit this vulnerability, the attacker needs to guess the directory…
PLUGIN
Pie Forms For Wp
CVE-2025-12528
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12411 - Premmerce Woocommerce Wholesale Pricing Plugin
The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic…
PLUGIN
Premmerce Woocommerce Wholesale Pricing
CVE-2025-12411
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12406 - Project Honey Pot Spam Trap Plugin
The Project Honey Pot Spam Trap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the printAdminPage() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Project Honey Pot Spam Trap
CVE-2025-12406
Risk Score