Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-27
CVE-2025-8666 - Testimonials Carousel Elementor Plugin
The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions less than, or equal to, 11.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Testimonials Carousel Elementor
CVE-2025-8666
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12095 - Simple Registration For Woocommerce Plugin
The Simple Registration for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.8. This is due to missing nonce validation on the role requests admin page handler in the includes/display-role-admin.php file. This makes it possible for unauthenticated attackers to approve pending role requests and escalate user privileges via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Registration For Woocommerce
CVE-2025-12095
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8588 - Advanced Gutenberg Plugin
The Gutenberg Blocks – PublishPress Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Marker Title' and 'Marker Description' parameters for the Maps block in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Gutenberg
CVE-2025-8588
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8413 - Listeo Theme
The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Listeo
CVE-2025-8413
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-6639 - Tutor Plugin
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
PLUGIN
Tutor
CVE-2025-6639
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-6680 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
PLUGIN
Tutor Lms
CVE-2025-6680
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11879 - Generateblocks Plugin
The GenerateBlocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_option_rest' function in all versions up to, and including, 2.1.1. This makes it possible for authenticated attackers, with contributor level access and above, to read arbitrary WordPress options, including sensitive information such as SMTP credentials, API keys, and other data stored by other plugins.
PLUGIN
Generateblocks
CVE-2025-11879
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-11564 - Tutor Lms Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
PLUGIN
Tutor Lms
CVE-2025-11564
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11269 - Product Filter By Wbw Plugin
The Product Filter by WBW plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'approveNotice' action in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to update the plugin's settings.
PLUGIN
Product Filter By Wbw
CVE-2025-11269
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12005 - 360 Panorama And Free Virtual Tour Builder For Wordpress Plugin
The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.
PLUGIN
360 Panorama And Free Virtual Tour Builder For Wordpress
CVE-2025-12005
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11888 - All In One Woocommerce Solution Plugin
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the post_deactive() function and post_activate() function in all versions up to, and including, 4.8.4. This makes it possible for authenticated attackers, with Editor-level access and above, to activate and deactivate licenses.
PLUGIN
All In One Woocommerce Solution
CVE-2025-11888
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11238 - Watu Quiz Plugin
The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP Referer header in versions less than, or equal to, 3.4.4 due to insufficient input sanitization and output escaping when the "Save source URL" option is enabled. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an user accesses an injected page.
PLUGIN
Watu Quiz
CVE-2025-11238
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10737 - Open Source Genesis Framework Theme
The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Open Source Genesis Framework
CVE-2025-10737
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11244 - Password Protected Plugin
The Password Protected plugin for WordPress is vulnerable to authorization bypass via IP address spoofing in all versions up to, and including, 2.7.11. This is due to the plugin trusting client-controlled HTTP headers (such as X-Forwarded-For, HTTP_CLIENT_IP, and similar headers) to determine user IP addresses in the `pp_get_ip_address()` function when the "Use transients" feature is enabled. This makes it possible for attackers to bypass authorization by spoofing these headers with the IP address of a legitimately authenticated user, granted the "Use transients" option is enabled (non-default configuration) and the site…
PLUGIN
Password Protected
CVE-2025-11244
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10694 - And Polls In Seconds Plugin
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
PLUGIN
And Polls In Seconds
CVE-2025-10694
Risk Score
Threat Entry
Updated 2025-11-26
CVE-2025-11823 - Shoplentor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shoplentor
CVE-2025-11823
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10579 - Restore Plugin
The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX).
PLUGIN
Restore
CVE-2025-10579
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11760 - Eroom Zoom Meetings Webinar Plugin
The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.
PLUGIN
Eroom Zoom Meetings Webinar
CVE-2025-11760
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11576 - Virtual Assistant Plugin
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.6.5. This is due to insufficient sanitization in the 'newcodebyte_chatbot_export_messages' function. This makes it possible for unauthenticated attackers to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Virtual Assistant
CVE-2025-11576
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10861 - And Woocommerce Triggers Plugin
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4.
PLUGIN
And Woocommerce Triggers
CVE-2025-10861
Risk Score