Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-06
CVE-2025-11749 - Ai Engine Plugin
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
PLUGIN
Ai Engine
CVE-2025-11749
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-10567 - Before 3 Plugin
The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.
PLUGIN
Before 3
CVE-2025-10567
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-11072 - Melabu Wp Download Counter Button Plugin
The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.
PLUGIN
Melabu Wp Download Counter Button
CVE-2025-11072
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-10873 - Elementinvader Addons For Elementor Plugin
The ElementInvader Addons for Elementor WordPress plugin before 1.4.1 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action.
PLUGIN
Elementinvader Addons For Elementor
CVE-2025-10873
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-12197 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
The Events Calendar
CVE-2025-12197
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-11162 - Ultimate Addons For Gutenberg Plugin
The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Addons For Gutenberg
CVE-2025-11162
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-12580 - Sms For Wordpress Plugin
The SMS for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Sms For Wordpress
CVE-2025-12580
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-11835 - Content Restriction Plugin
The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members.
PLUGIN
Content Restriction
CVE-2025-11835
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-8871 - WordPress Core
The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin…
CORE
WordPress Core
CVE-2025-8871
Risk Score
Threat Entry
Updated 2025-11-06
CVE-2025-12582 - Features Plugin
The Features plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'features_revert_option AJAX endpoint in all versions up to, and including, 0.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revert options.
PLUGIN
Features
CVE-2025-12582
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12184 - Meetinglist Plugin
The MeetingList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Meetinglist
CVE-2025-12184
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12682 - Easy Upload Files During Checkout Plugin
The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'file_during_checkout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated attackers to upload arbitrary JavaScript files on the affected site's server which may make remote code execution possible.
PLUGIN
Easy Upload Files During Checkout
CVE-2025-12682
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-12493 - Shoplentor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded…
PLUGIN
Shoplentor
CVE-2025-12493
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12045 - Themeisle Companion Plugin
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Themeisle Companion
CVE-2025-12045
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12456 - Centangle Team Plugin
The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a…
PLUGIN
Centangle Team
CVE-2025-12456
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12452 - Visit Counter Plugin
The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Visit Counter
CVE-2025-12452
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12416 - Pagerank Tools Plugin
The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.
PLUGIN
Pagerank Tools
CVE-2025-12416
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12415 - Mapmap Plugin
The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mapmap
CVE-2025-12415
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12412 - Top Bar Notification Plugin
The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Top Bar Notification
CVE-2025-12412
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-12413 - Wpcf7 Stop Words Plugin
The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wpcf7 Stop Words
CVE-2025-12413
Risk Score