Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-18
CVE-2025-6079 - School Management System For Wordpress Plugin
The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
School Management System For Wordpress
CVE-2025-6079
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2025-3671 - Wpgym Wordpress Gym Management System Plugin
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local…
PLUGIN
Wpgym Wordpress Gym Management System
CVE-2025-3671
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2024-8393 - Woolook Plugin
The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Please note…
PLUGIN
Woolook
CVE-2024-8393
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2024-12612 - School Management System For Wordpress Plugin
The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
School Management System For Wordpress
CVE-2024-12612
Risk Score
Threat Entry
Updated 2025-08-18
CVE-2024-12575 - Image Polls Plugin
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 5.8.9 via the 'ays_finish_poll' AJAX action. This makes it possible for unauthenticated attackers to retrieve admin email information which is exposed in the poll response.
PLUGIN
Image Polls
CVE-2024-12575
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8720 - Wp Readme Parser Plugin
The Plugin README Parser plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘target’ parameter in all versions up to, and including, 1.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Readme Parser
CVE-2025-8720
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8905 - Err Our Team Plugin
The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.
PLUGIN
Err Our Team
CVE-2025-8905
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7778 - Icons Factory Plugin
The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Icons Factory
CVE-2025-7778
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7688 - Add User Meta Plugin
The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Add User Meta
CVE-2025-7688
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8080 - Alobaidi Captcha Plugin
The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Alobaidi Captcha
CVE-2025-8080
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8091 - Eventon Lite Plugin
The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Eventon Lite
CVE-2025-8091
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7650 - Bizcalendar Web Plugin
The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.50 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Bizcalendar Web
CVE-2025-7650
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7662 - Gestion Tarifs Plugin
The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Gestion Tarifs
CVE-2025-7662
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7641 - Assistant For Nextgen Gallery Plugin
The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server, which can cause a complete loss of availability.
PLUGIN
Assistant For Nextgen Gallery
CVE-2025-7641
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-7507 - Elink Embed Content Plugin
The elink – Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain.
PLUGIN
Elink Embed Content
CVE-2025-7507
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-5844 - Radius Blocks Plugin
The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subHeadingTagName’ parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Radius Blocks
CVE-2025-5844
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8604 - Wp Table Builder Plugin
The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Table Builder
CVE-2025-8604
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8451 - Essential Addons For Elementor Lite Plugin
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘data-gallery-items’ parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons For Elementor Lite
CVE-2025-8451
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-6679 - Bit Form Plugin
The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published.
PLUGIN
Bit Form
CVE-2025-6679
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8013 - Quttera Web Malware Scanner Plugin
The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Quttera Web Malware Scanner
CVE-2025-8013
Risk Score