Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-27
CVE-2025-6440 - Woocommerce Designer Pro Plugin
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Woocommerce Designer Pro
CVE-2025-6440
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-9978 - Jeg Kit For Elementor Plugin
The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability.
PLUGIN
Jeg Kit For Elementor
CVE-2025-9978
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10874 - Before 3 Plugin
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.
PLUGIN
Before 3
CVE-2025-10874
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10723 - Before 11 Plugin
The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks
PLUGIN
Before 11
CVE-2025-10723
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-7730 - Bold Page Builder Plugin
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘percentage’ parameter in all versions up to, and including, 5.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bold Page Builder
CVE-2025-7730
Risk Score
Threat Entry
Updated 2025-12-19
CVE-2025-8427 - Beaver Builder Plugin
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Beaver Builder
CVE-2025-8427
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11128 - Feedzy Rss Feeds Plugin
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
PLUGIN
Feedzy Rss Feeds
CVE-2025-11128
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10705 - Ai Chatbot For Wordpress Plugin
The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.4.6. This is due to insufficient validation of user-supplied URLs in the PDF processing functionality. This makes it possible for unauthenticated attackers to make the WordPress server perform HTTP requests to arbitrary destinations via the mxchat_handle_chat_request AJAX action.
PLUGIN
Ai Chatbot For Wordpress
CVE-2025-10705
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-62048 - WordPress Core
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through
CORE
WordPress Core
CVE-2025-62048
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-53422 - WooCommerce Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeWarriors WhatsApp Chat for WordPress and WooCommerce tw-whatsapp-chat-rotator allows Reflected XSS.This issue affects WhatsApp Chat for WordPress and WooCommerce: from n/a through
PLUGIN
WooCommerce
CVE-2025-53422
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-49960 - This Issue Affects Leadbi Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leadbi LeadBI Plugin for WordPress leadbi allows Stored XSS.This issue affects LeadBI Plugin for WordPress: from n/a through
PLUGIN
This Issue Affects Leadbi
CVE-2025-49960
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-49953 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeinity ShareBang, Ultimate Social Share Buttons for WordPress sharebang allows Reflected XSS.This issue affects ShareBang, Ultimate Social Share Buttons for WordPress: from n/a through
CORE
WordPress Core
CVE-2025-49953
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11086 - Wordpress Lms Plugin For Complete Elearning Solution
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.
PLUGIN
Wordpress Lms Plugin For Complete Elearning Solution
CVE-2025-11086
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-6833 - Tracking Employee Time Has Never Been Easier Plugin
The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.
PLUGIN
Tracking Employee Time Has Never Been Easier
CVE-2025-6833
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11883 - Responsive Progress Bar Plugin
The Responsive Progress Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rprogress shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Responsive Progress Bar
CVE-2025-11883
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11880 - Sm Countdown Widget Plugin
The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sm Countdown Widget
CVE-2025-11880
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11878 - St Category Wp Plugin
The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
St Category Wp
CVE-2025-11878
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11872 - Material Design Iconic Font Integration Plugin
The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Material Design Iconic Font Integration
CVE-2025-11872
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11870 - Simple Business Data Plugin
The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Business Data
CVE-2025-11870
Risk Score
Threat Entry
Updated 2025-10-22
CVE-2025-11867 - Bg Book Publisher Plugin
The Bg Book Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `book_author` post meta, rendered through the `[book_author]` shortcode, in all versions up to, and including, 1.25. This is due to the plugin not properly escaping the meta value before output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bg Book Publisher
CVE-2025-11867
Risk Score