Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-27
CVE-2025-12136 - Eprivacy Cookie Consent Plugin
The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter.
PLUGIN
Eprivacy Cookie Consent
CVE-2025-12136
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12134 - Patterns Plugin
The ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_popup_status() function in all versions up to, and including, 2.3.11. This makes it possible for unauthenticated attackers to enable/disable popups.
PLUGIN
Patterns
CVE-2025-12134
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12028 - Indieauth Plugin
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4. This is due to missing nonce verification on the `login_form_indieauth()` function and the authorization endpoint at wp-login.php?action=indieauth. This makes it possible for unauthenticated attackers to force authenticated users to approve OAuth authorization requests for attacker-controlled applications via a forged request granted they can trick a user into performing an action such as clicking on a link or visiting a malicious page while logged in. The attacker can then exchange the stolen…
PLUGIN
Indieauth
CVE-2025-12028
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12096 - Simple Excel Pricelist For Woocommerce Plugin
The Simple Excel Pricelist for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricelist' shortcode in all versions up to, and including, 1.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Excel Pricelist For Woocommerce
CVE-2025-12096
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12017 - Vnpay For Woocommerce Plugin
The VNPAY Payment gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Vnpay For Woocommerce
CVE-2025-12017
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12072 - Disable Contect Editor For Specific Template Plugin
The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or delete template configurations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Disable Contect Editor For Specific Template
CVE-2025-12072
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11889 - All In One Forms Plugin
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.15. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
All In One Forms
CVE-2025-11889
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11992 - Multi Item Responsive Slider Plugin
The Multi Item Responsive Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'mioptions.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Multi Item Responsive Slider
CVE-2025-11992
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12016 - Qnotsquiz Plugin
The qnotsquiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qnotsquiz_custom_start_text' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Qnotsquiz
CVE-2025-12016
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-12014 - Nginx Cache Optimizer Plugin
The NGINX Cache Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'nginxcacheoptimizer-blacklist-update' AJAX action in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add URLs to the Exclude URLs From Dynamic Caching setting.
PLUGIN
Nginx Cache Optimizer
CVE-2025-12014
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11887 - Supervisor Plugin
The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings.
PLUGIN
Supervisor
CVE-2025-11887
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11504 - Quickcreator Plugin
The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.
PLUGIN
Quickcreator
CVE-2025-11504
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11257 - Llm Hubspot Blog Import Plugin
The LLM Hubspot Blog Import plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_save_blogs' AJAX endpoint in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger an import of all Hubspot data.
PLUGIN
Llm Hubspot Blog Import
CVE-2025-11257
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11172 - Check Plagiarism Plugin
The Check Plagiarism plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the chk_plag_mine_plugin_wpse10500_admin_action() function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the API key.
PLUGIN
Check Plagiarism
CVE-2025-11172
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10902 - Originality Ai Plugin
The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
PLUGIN
Originality Ai
CVE-2025-10902
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10748 - Rapidresult Plugin
The RapidResult plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level permissions and above to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Rapidresult
CVE-2025-10748
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10701 - Time Clock Plugin
The Time Clock – A WordPress Employee & Volunteer Time Clock Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameter in all versions up to, and including, 1.3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with Time Clock user credentials to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.
PLUGIN
Time Clock
CVE-2025-10701
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10740 - Exact Links Plugin
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links.
PLUGIN
Exact Links
CVE-2025-10740
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10749 - Microsoft Azure Storage For Wordpress Plugin
The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.
PLUGIN
Microsoft Azure Storage For Wordpress
CVE-2025-10749
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10901 - Originality Ai Plugin
The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ai_get_table' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.
PLUGIN
Originality Ai
CVE-2025-10901
Risk Score