Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-09-11
CVE-2025-8689 - Elements Plus Plugin
The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison, HotSpot Plus, and Google Maps widgets in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elements Plus
CVE-2025-8689
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8686 - Wp Easy Faqs Plugin
The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WP_EASY_FAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Easy Faqs
CVE-2025-8686
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8692 - Coupon Api Plugin
The Coupon API plugin for WordPress is vulnerable to SQL Injection via the ‘log_duration’ parameter in all versions up to, and including, 6.2.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Coupon Api
CVE-2025-8692
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8425 - My Wp Translate Plugin
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
My Wp Translate
CVE-2025-8425
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8445 - Countdown Timer For Elementor Plugin
The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Countdown Timer For Elementor
CVE-2025-8445
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8423 - My Wp Translate Plugin
The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete arbitrary WordPress options which can cause a denial of service.
PLUGIN
My Wp Translate
CVE-2025-8423
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8492 - Salon Booking System Plugin
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.
PLUGIN
Salon Booking System
CVE-2025-8492
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8481 - Blog Designer For Elementor Plugin
The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Blog Designer For Elementor
CVE-2025-8481
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8417 - Intelligent Importer Plugin
The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combined with the unsafe use of eval() on user-supplied input. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server via a forged request granted they can guess or brute-force the numeric key.
PLUGIN
Intelligent Importer
CVE-2025-8417
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8422 - All In One Client Management System Plugin
The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
All In One Client Management System
CVE-2025-8422
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8398 - Azurecurve Bbcode Plugin
The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Azurecurve Bbcode
CVE-2025-8398
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8392 - Mitfahrgelegenheit Plugin
The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mitfahrgelegenheit
CVE-2025-8392
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8318 - Jobify Plugin
The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘keyword’ parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Jobify
CVE-2025-8318
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8316 - Certifica Wp Plugin
The Certifica WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘evento’ parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Certifica Wp
CVE-2025-8316
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8215 - Responsive Addons For Elementor Plugin
The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Responsive Addons For Elementor
CVE-2025-8215
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-5801 - Digital Events Calendar Plugin
The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Digital Events Calendar
CVE-2025-5801
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-0763 - Ultimate Classified Listings Plugin
The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields.
PLUGIN
Ultimate Classified Listings
CVE-2025-0763
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-8479 - Zoho Flow Plugin
The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zoho Flow
CVE-2025-8479
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9034 - Wp Edit Password Protected Plugin
The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
PLUGIN
Wp Edit Password Protected
CVE-2025-9034
Risk Score
Threat Entry
Updated 2025-09-11
CVE-2025-9776 - Tame Your Wordpress Media Library By Category Plugin
The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tame Your Wordpress Media Library By Category
CVE-2025-9776
Risk Score