Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-10-14
CVE-2025-10732 - Drag And Drop Form Builder For Wordpress Plugin
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.12.1. This is due to improper access control implementation on the '/wp-json/sureforms/v1/srfm-global-settings' REST API endpoint. This makes it possible for authenticated attackers, with contributor-level access and above, to retrieve sensitive information including API keys for Google reCAPTCHA, Cloudflare Turnstile, hCaptcha, admin email addresses, and security-related form settings.
PLUGIN
Drag And Drop Form Builder For Wordpress
CVE-2025-10732
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10357 - Before 2 Plugin
The Simple SEO WordPress plugin before 2.0.32 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-10357
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9698 - Plus Addons For Elementor Plugin
The Plus Addons for Elementor WordPress plugin before 6.3.16 does not sanitize SVG file contents, which could allow users with minimum role access as Author to perform Stored Cross-Site Scripting attacks.
PLUGIN
Plus Addons For Elementor
CVE-2025-9698
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9975 - Wp Scraper Plugin
The WP Scraper plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.8.1 via the wp_scraper_extract_content function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieving.
PLUGIN
Wp Scraper
CVE-2025-9975
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9950 - Error Log Viewer Plugin
The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Error Log Viewer
CVE-2025-9950
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8593 - Gsheetconnector Gravity Forms Plugin
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
PLUGIN
Gsheetconnector Gravity Forms
CVE-2025-8593
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9947 - Custom 404 Pro Plugin
The Custom 404 Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘path’ parameter in all versions up to, and including, 3.12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Custom 404 Pro
CVE-2025-9947
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9626 - Page Blocks Plugin
The Page Blocks plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the admin_process_widget_page_change function. This makes it possible for unauthenticated attackers to modify widget page block configurations via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Page Blocks
CVE-2025-9626
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-9621 - Widgetpack Comment System Plugin
The WidgetPack Comment System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. This is due to missing or incorrect nonce validation on the wpcmt_sync action in the wpcmt_request_handler function. This makes it possible for unauthenticated attackers to trigger comment synchronization events via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Widgetpack Comment System
CVE-2025-9621
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8682 - Newsup Theme
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
THEME
Newsup
CVE-2025-8682
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8606 - Gsheetconnector For Gravity Forms Plugin
The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.
PLUGIN
Gsheetconnector For Gravity Forms
CVE-2025-8606
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-6439 - Woocommerce Designer Pro Plugin
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
PLUGIN
Woocommerce Designer Pro
CVE-2025-6439
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-7652 - Easy Plugin Stats
The Easy Plugin Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eps' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Plugin Stats
CVE-2025-7652
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8484 - Code Quality Control Tool Plugin
The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
PLUGIN
Code Quality Control Tool
CVE-2025-8484
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10190 - Wp Easy Toggles Plugin
The WP Easy Toggles plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggles' shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Toggles
CVE-2025-10190
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10376 - Course Redirects For Learndash Plugin
The Course Redirects for Learndash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.4. This is due to missing nonce validation when processing form submissions on the settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Course Redirects For Learndash
CVE-2025-10376
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10375 - Web Accessibility By Accessibe Plugin
The Web Accessibility By accessiBe plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10. This is due to missing nonce validation on multiple AJAX actions including accessibe_signup, accessibe_login, accessibe_license_trial, accessibe_modify_config, and accessibe_add_verification_page. This makes it possible for unauthenticated attackers to modify plugin settings and create verification files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Web Accessibility By Accessibe
CVE-2025-10375
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10175 - Wp Links Page Plugin
The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Links Page
CVE-2025-10175
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10167 - Stock Snapshot For Woocommerce Plugin
The Stock History & Reports Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_stock_snapshot_restocked shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Stock Snapshot For Woocommerce
CVE-2025-10167
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-10129 - Wp Webcam Widget Shortcode Plugin
The WordPress Live Webcam Widget & Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Webcam Widget Shortcode
CVE-2025-10129
Risk Score