Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-02
CVE-2025-6688 - Simple Payment Plugin
The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users.
PLUGIN
Simple Payment
CVE-2025-6688
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6689 - Fl3r Accessibility Suite Plugin
The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fl3r Accessibility Suite
CVE-2025-6689
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6550 - Pack Elementor Addons Plugin
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_options’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Pack Elementor Addons
CVE-2025-6550
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5940 - Osom Blocks Plugin
The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Osom Blocks
CVE-2025-5940
Risk Score
Threat Entry
Updated 2025-06-30
CVE-2025-4587 - Ab Testing For Wp Plugin
The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ab Testing For Wp
CVE-2025-4587
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5936 - Vr Calendar Plugin
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Vr Calendar
CVE-2025-5936
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-5093 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Before 2
CVE-2025-5093
Risk Score
Threat Entry
Updated 2025-07-01
CVE-2025-5035 - Firelight Lightbox Plugin
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.
PLUGIN
Firelight Lightbox
CVE-2025-5035
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5194 - Wp Map Block Plugin
The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Wp Map Block
CVE-2025-5194
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-5526 - Buddypress Docs Plugin
The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user
PLUGIN
Buddypress Docs
CVE-2025-5526
Risk Score
Threat Entry
Updated 2025-06-30
CVE-2025-6488 - Ismobile Plugin
The isMobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ismobile
CVE-2025-6488
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6212 - Ultimate Addons For Contact Form 7 Plugin
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever…
PLUGIN
Ultimate Addons For Contact Form 7
CVE-2025-6212
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-5842 - Modern Design Library Plugin
The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Modern Design Library
CVE-2025-5842
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-5338 - Royal Elementor Addons Plugin
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1024 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Royal Elementor Addons
CVE-2025-5338
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6546 - Drive Folder Embedder Plugin
The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tablecssclass’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Drive Folder Embedder
CVE-2025-6546
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-6540 - Web Cam Plugin
The web-cam plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Web Cam
CVE-2025-6540
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-6537 - Namasha Plugin
The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘playicon_title’ parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Namasha
CVE-2025-6537
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5932 - Homerunner Plugin
The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Homerunner
CVE-2025-5932
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-5929 - The Countdown Plugin
The The Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘clientId’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
The Countdown
CVE-2025-5929
Risk Score
Threat Entry
Updated 2025-07-07
CVE-2025-5813 - Amazon Products To Woocommerce Plugin
The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces.
PLUGIN
Amazon Products To Woocommerce
CVE-2025-5813
Risk Score