Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-30
CVE-2025-9544 - Doppler Forms Plugin
The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1).
PLUGIN
Doppler Forms
CVE-2025-9544
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11705 - Anti Malware Security And Brute Force Firewall Plugin
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Anti Malware Security And Brute Force Firewall
CVE-2025-11705
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-4665 - Contact Form Cfdb7 Plugin
WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully.
PLUGIN
Contact Form Cfdb7
CVE-2025-4665
Risk Score
Threat Entry
Updated 2025-10-30
CVE-2025-11735 - Woocommerce Products Filter Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woocommerce Products Filter
CVE-2025-11735
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-11154 - Before 2 Plugin
The IDonate WordPress plugin before 2.1.13 does not have authorisation and CSRF when deleting users via an action handler, allowing unauthenticated attackers to delete arbitrary users.
PLUGIN
Before 2
CVE-2025-11154
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-62987 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Stored XSS.This issue affects Builderall Builder for WordPress: from n/a through
CORE
WordPress Core
CVE-2025-62987
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11897 - Website And Ecommerce Builder For Wordpress Theme
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ the7_fancy_title_css’ parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Website And Ecommerce Builder For Wordpress
CVE-2025-11897
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-9322 - Subscriptions Plugin
The Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress is vulnerable to SQL Injection via the 'wpfs-form-name' parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Subscriptions
CVE-2025-9322
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8416 - Woo Product Filter Plugin
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Woo Product Filter
CVE-2025-8416
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-4203 - Wpforo Forum Plugin
The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into a 'LIMIT offset,row_count' clause using esc_sql() rather than enforcing numeric values. MySQL 5.x’s grammar allows a 'PROCEDURE ANALYSE' clause immediately after a LIMIT clause. Unauthenticated attackers controlling 'row_count' can append a stored‐procedure call, enabling error‐based or time‐based blind SQL injection that can be used to extract sensitive…
PLUGIN
Wpforo Forum
CVE-2025-4203
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8483 - Wordpress Forum Plugin
The The Discussion Board – WordPress Forum Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.5.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
PLUGIN
Wordpress Forum
CVE-2025-8483
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11893 - Charitable Plugin
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires…
PLUGIN
Charitable
CVE-2025-11893
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11875 - Spendeonline Plugin
The SpendeOnline.org plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spendeonline' shortcode in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spendeonline
CVE-2025-11875
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12034 - Fast Velocity Minify Plugin
The Fast Velocity Minify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fast Velocity Minify
CVE-2025-12034
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11976 - Changeset Plugin
The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23.0. This is due to missing or incorrect nonce validation on the save_changes function. This makes it possible for unauthenticated attackers to add or edit sync rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Changeset
CVE-2025-11976
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11497 - Advanced Database Cleaner Plugin
The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to alter the keep last setting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Advanced Database Cleaner
CVE-2025-11497
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11255 - Password Manager Plugin
The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to log out the site's connection to miniorange.
PLUGIN
Password Manager
CVE-2025-11255
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10580 - Block Control Plugin
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple functions in all versions up to, and including, 4.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Block Control
CVE-2025-10580
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10637 - Insta Gallery Plugin
The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram profile and media data from any account the site owner connected to their site.
PLUGIN
Insta Gallery
CVE-2025-10637
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10488 - Ai Powered Business Directory Plugin With Classified Ads Listings
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Ai Powered Business Directory Plugin With Classified Ads Listings
CVE-2025-10488
Risk Score