Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-16
CVE-2025-7341 - Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Plugin
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks
CVE-2025-7341
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-7340 - Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks Plugin
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Download Contact Form 7 Widget For Elementor Page Builder Gutenberg Blocks
CVE-2025-7340
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5394 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5394
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5393 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5393
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2021-4458 - Modern Events Calendar Lite Plugin
The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled.
PLUGIN
Modern Events Calendar Lite
CVE-2021-4458
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-7518 - WordPress Core
The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CORE
WordPress Core
CVE-2025-7518
Risk Score
Threat Entry
Updated 2025-08-02
CVE-2025-7504 - Friends Plugin
The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may…
PLUGIN
Friends
CVE-2025-7504
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-6423 - Beeteam368 Extensions Plugin
The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Beeteam368 Extensions
CVE-2025-6423
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-1313 - Nokri Job Board Wordpress Theme
The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
THEME
Nokri Job Board Wordpress Theme
CVE-2025-1313
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-6058 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-6058
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-6057 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wpbookit
CVE-2025-6057
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-6851 - Broken Link Notifier Plugin
The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Broken Link Notifier
CVE-2025-6851
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-6838 - Broken Link Notifier Plugin
The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.
PLUGIN
Broken Link Notifier
CVE-2025-6838
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-7442 - Wpgym Wordpress Gym Management System Plugin
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpgym Wordpress Gym Management System
CVE-2025-7442
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-6068 - Foogallery Plugin
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Foogallery
CVE-2025-6068
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-5530 - Wpc Smart Compare For Woocommerce Plugin
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpc Smart Compare For Woocommerce
CVE-2025-5530
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-6745 - Woodmart Plugin
The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Woodmart
CVE-2025-6745
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-4593 - Wp Register Profile With Shortcode Plugin
The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more.
PLUGIN
Wp Register Profile With Shortcode
CVE-2025-4593
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5392 - Gb Forms Db Plugin
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
PLUGIN
Gb Forms Db
CVE-2025-5392
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-6716 - Openai Plugin
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Openai
CVE-2025-6716
Risk Score