Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-18
CVE-2025-12404 - Like It Plugin
The Like-it plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the likeit_conf() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Like It
CVE-2025-12404
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-11620 - Multiple Roles Per User Plugin
The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles.
PLUGIN
Multiple Roles Per User
CVE-2025-11620
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-11868 - Everviz Plugin
The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Everviz
CVE-2025-11868
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12078 - Artibot Plugin
The ArtiBot Free Chat Bot for WebSites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Artibot
CVE-2025-12078
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12372 - Permalinks Cascade Plugin
The Permalinks Cascade plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action in the handleTPCAdminAjaxRequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized administrative actions such as enabling or disabling automatic pinging settings and modifying page exclusion settings.
PLUGIN
Permalinks Cascade
CVE-2025-12372
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12173 - Wp Admin Microblog Plugin
The WP Admin Microblog plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'wp-admin-microblog' page. This makes it possible for unauthenticated attackers to send messages on behalf of an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Admin Microblog
CVE-2025-12173
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-11267 - Vk All In One Expansion Unit Plugin
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_veu_custom_css' parameter in all versions up to, and including, 9.112.1. This is due to insufficient input sanitization and output escaping on the user-supplied Custom CSS value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.
PLUGIN
Vk All In One Expansion Unit
CVE-2025-11267
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-11265 - Vk All In One Expansion Unit Plugin
The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_cta_url' and 'vkExUnit_cta_button_text' parameters in all versions up to, and including, 9.112.1. This is due to a logic error in the CTA save function that reads sanitization callbacks from the wrong variable ($custom_field_name instead of $custom_field_options), causing the sanitization to never be applied. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that execute when a user accesses an injected page.",
PLUGIN
Vk All In One Expansion Unit
CVE-2025-11265
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12524 - Post Type Switcher Plugin
The Post Type Switcher plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.0.0 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to modify the post type of arbitrary posts and pages they do not own, including those created by administrators, which can lead to site disruption, broken navigation, and SEO impact.
PLUGIN
Post Type Switcher
CVE-2025-12524
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12974 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the…
PLUGIN
Gravity Forms
CVE-2025-12974
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-7711 - Classified Listing Plugin
The The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Classified Listing
CVE-2025-7711
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-9501 - W3 Total Cache Plugin
The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.
PLUGIN
W3 Total Cache
CVE-2025-9501
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12482 - Amelia Plugin
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Amelia
CVE-2025-12482
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12849 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files.
PLUGIN
Contest Gallery
CVE-2025-12849
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-8994 - Wedevs Project Manager Plugin
The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More – WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘completed_at_operator’ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wedevs Project Manager
CVE-2025-8994
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12847 - All In One Seo Pack Plugin
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete…
PLUGIN
All In One Seo Pack
CVE-2025-12847
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12494 - Modula Best Grid Gallery Plugin
The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server.
PLUGIN
Modula Best Grid Gallery
CVE-2025-12494
Risk Score
Threat Entry
Updated 2025-11-18
CVE-2025-12182 - Qi Blocks Plugin
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images.
PLUGIN
Qi Blocks
CVE-2025-12182
Risk Score
Threat Entry
Updated 2025-11-14
CVE-2025-11981 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpschoolpress
CVE-2025-11981
Risk Score
Threat Entry
Updated 2025-11-14
CVE-2025-10686 - Creta Testimonial Showcase Plugin
The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.
PLUGIN
Creta Testimonial Showcase
CVE-2025-10686
Risk Score