Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-22
CVE-2025-9115 - Before 3 Plugin
The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Before 3
CVE-2025-9115
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9541 - Markup Markdown Plugin
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Markup Markdown
CVE-2025-9541
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9540 - Markup Markdown Plugin
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Markup Markdown
CVE-2025-9540
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9487 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads
PLUGIN
Before 7
CVE-2025-9487
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9883 - Browser Sniff Plugin
The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Browser Sniff
CVE-2025-9883
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9882 - Osticket Wp Bridge Plugin
The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Osticket Wp Bridge
CVE-2025-9882
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9887 - Custom Login And Signup Widget Plugin
The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in the /frndzk_adminclsw.php file. This makes it possible for unauthenticated attackers to change the email and username settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Custom Login And Signup Widget
CVE-2025-9887
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10658 - Customer Support Ticket System Plugin
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code.
PLUGIN
Customer Support Ticket System
CVE-2025-10658
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10181 - Simple Draft List Plugin
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Draft List
CVE-2025-10181
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10305 - Secure Passkeys Plugin
The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
PLUGIN
Secure Passkeys
CVE-2025-10305
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10489 - Conversational Forms And More Plugin
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.
PLUGIN
Conversational Forms And More
CVE-2025-10489
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-9949 - Seo Automated Link Building Plugin
The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Seo Automated Link Building
CVE-2025-9949
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10002 - Link Pages Plugin
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be…
PLUGIN
Link Pages
CVE-2025-10002
Risk Score
Threat Entry
Updated 2025-09-22
CVE-2025-10652 - Robcore Netatmo Plugin
The Robcore Netatmo plugin for WordPress is vulnerable to SQL Injection via the ‘module_id’ attribute of the robcore-netatmo shortcode in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Robcore Netatmo
CVE-2025-10652
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-7665 - Miniorange Firebase Sms Otp Verification Plugin
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'handle_mofirebase_form_options' function in versions 3.1.0 to 3.6.2. This makes it possible for unauthenticated attackers to update the default role to Administrator. Premium features must be enabled in order to exploit the vulnerability.
PLUGIN
Miniorange Firebase Sms Otp Verification
CVE-2025-7665
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-10647 - Embed Pdf Wpforms Plugin
The Embed PDF for WPForms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_handler_download_pdf_media function in all versions up to, and including, 1.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Embed Pdf Wpforms
CVE-2025-10647
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-5948 - Service Finder Bookings Plugin
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's identity prior to claiming a business when using the claim_business AJAX action. This makes it possible for unauthenticated attackers to login as any user including admins. Please note that subscriber privileges or brute-forcing are needed when completing the business takeover. The claim_id is needed to takeover the admin account, but brute-forcing is a practical approach to…
PLUGIN
Service Finder Bookings
CVE-2025-5948
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-5955 - Service Finder Sms System Plugin
The Service Finder SMS System plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.0. This is due to the plugin not verifying a user's phone number before logging them in. This makes it possible for unauthenticated attackers to login as arbitrary users.
PLUGIN
Service Finder Sms System
CVE-2025-5955
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-10146 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘user_ids’ parameter in all versions up to, and including, 3.3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Download Manager
CVE-2025-10146
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-8487 - Kubio Ai Page Builder Plugin
The Kubio AI Page Builder plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the kubio-image-hub-install-plugin AJAX action in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the Image Hub plugin.
PLUGIN
Kubio Ai Page Builder
CVE-2025-8487
Risk Score