Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-17
CVE-2025-8394 - Productive Style Plugin
The Productive Style plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_productive_breadcrumb shortcode in all versions up to, and including, 1.1.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Productive Style
CVE-2025-8394
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-9629 - Uss Upyun Plugin
The USS Upyun plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on the uss_setting_page function when processing the uss_set form type. This makes it possible for unauthenticated attackers to modify critical Upyun cloud storage settings including bucket name, operator credentials, upload paths, and image processing parameters via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Uss Upyun
CVE-2025-9629
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10143 - Catch Dark Mode Plugin
The Catch Dark Mode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0 via the 'catch_dark_mode' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Catch Dark Mode
CVE-2025-10143
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-10050 - Developer Loggers For Simple History Plugin
The Developer Loggers for Simple History plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.5 via the enabled_loggers parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Developer Loggers For Simple History
CVE-2025-10050
Risk Score
Threat Entry
Updated 2025-09-16
CVE-2025-8446 - Blaze Demo Importer Plugin
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
PLUGIN
Blaze Demo Importer
CVE-2025-8446
Risk Score
Threat Entry
Updated 2025-09-16
CVE-2025-9808 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.15.2 via the REST endpoint. This makes it possible for unauthenticated attackers to extract information about password-protected vendors or venues.
PLUGIN
The Events Calendar
CVE-2025-9808
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-10176 - Hackrepair Plugin Archiver
The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Hackrepair Plugin Archiver
CVE-2025-10176
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-8575 - Lws Cleaner Plugin
The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Lws Cleaner
CVE-2025-8575
Risk Score
Threat Entry
Updated 2026-02-13
CVE-2025-8280 - Contact Form 7 Captcha Plugin
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
PLUGIN
Contact Form 7 Captcha
CVE-2025-8280
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-3650 - Jquery Colorbox Plugin
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
PLUGIN
Jquery Colorbox
CVE-2025-3650
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9881 - Ultimate Blogroll Plugin
The Ultimate Blogroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Ultimate Blogroll
CVE-2025-9881
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9880 - Side Slide Responsive Menu Plugin
The Side Slide Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Side Slide Responsive Menu
CVE-2025-9880
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9879 - Spotify Embed Creator Plugin
The Spotify Embed Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spotify' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spotify Embed Creator
CVE-2025-9879
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9877 - Embed Google Data Studio Plugin
The Embed Google Datastudio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'egds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Embed Google Data Studio
CVE-2025-9877
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-10269 - Spirit Framework Plugin
The Spirit Framework plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Spirit Framework
CVE-2025-10269
Risk Score
Threat Entry
Updated 2025-09-15
CVE-2025-9807 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to time-based SQL Injection via the ‘s’ parameter in all versions up to, and including, 6.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
The Events Calendar
CVE-2025-9807
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9018 - Time Tracker Plugin
The Time Tracker plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'tt_update_table_function' and 'tt_delete_record_function' functions in all versions up to, and including, 3.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update options such as user registration and default role, allowing anyone to register as an Administrator, and to delete limited data from the database.
PLUGIN
Time Tracker
CVE-2025-9018
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9874 - Ultimate Classified Listings Plugin
The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Ultimate Classified Listings
CVE-2025-9874
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9861 - Themeloom Widgets Plugin
The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'los_showposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Themeloom Widgets
CVE-2025-9861
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9860 - Mixtape Plugin
The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mixtape
CVE-2025-9860
Risk Score