Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-13
CVE-2025-8491 - Easy Pdf Restaurant Menu Upload Plugin
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Easy Pdf Restaurant Menu Upload
CVE-2025-8491
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-0818 - File Manager Advanced Plugin
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users.
PLUGIN
File Manager Advanced
CVE-2025-0818
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8418 - B Slider Plugin
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
PLUGIN
B Slider
CVE-2025-8418
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8874 - Master Addons Plugin
The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Master Addons
CVE-2025-8874
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8767 - Anwp Football Leagues Plugin
The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Anwp Football Leagues
CVE-2025-8767
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8482 - Simple Local Avatars Plugin
The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users.
PLUGIN
Simple Local Avatars
CVE-2025-8482
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-6253 - Free Elementor Widgets And Templates Plugin
The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Free Elementor Widgets And Templates
CVE-2025-6253
Risk Score
Threat Entry
Updated 2025-08-15
CVE-2025-8081 - Website Builder Plugin
The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Website Builder
CVE-2025-8081
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8059 - B Blocks Plugin
The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role.
PLUGIN
B Blocks
CVE-2025-8059
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8314 - Software Issue Manager Plugin
The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Software Issue Manager
CVE-2025-8314
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8690 - Addi Simple Slider Plugin
The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addi Simple Slider
CVE-2025-8690
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8688 - Inline Stock Quotes Plugin
The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Inline Stock Quotes
CVE-2025-8688
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8685 - Wp Chart Generator Plugin
The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Chart Generator
CVE-2025-8685
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8621 - Mosaic Generator Plugin
The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Mosaic Generator
CVE-2025-8621
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8568 - Gmap Venturit Plugin
The GMap Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘h’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gmap Venturit
CVE-2025-8568
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-8462 - Rt Easy Builder Advanced Addons For Elementor Plugin
The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social URL parameter in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Rt Easy Builder Advanced Addons For Elementor
CVE-2025-8462
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-5391 - Wc Purchase Orders Plugin
The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wc Purchase Orders
CVE-2025-5391
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4390 - Wp Private Content Plus Plugin
The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.
PLUGIN
Wp Private Content Plus
CVE-2025-4390
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-7965 - Cbx Restaurant Booking Plugin
The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Cbx Restaurant Booking
CVE-2025-7965
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-7726 - The7 Theme
The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a…
THEME
The7
CVE-2025-7726
Risk Score