Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-09
CVE-2025-5289 - 3d Flipbook Plugin
The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.
PLUGIN
3d Flipbook
CVE-2025-5289
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-5143 - Tableon Wordpress Posts Table Filterable Plugin
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tableon Wordpress Posts Table Filterable
CVE-2025-5143
Risk Score
Threat Entry
Updated 2025-07-02
CVE-2025-5034 - Wp File Download Plugin
The wp-file-download WordPress plugin before 6.2.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
PLUGIN
Wp File Download
CVE-2025-5034
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-50050 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress allows Stored XSS. This issue affects Jobs for WordPress: from n/a through 2.7.12.
CORE
WordPress Core
CVE-2025-50050
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-50010 - WordPress Core
Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.
CORE
WordPress Core
CVE-2025-50010
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-49974 - A Project Management Plugin
Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.
PLUGIN
A Project Management
CVE-2025-49974
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4102 - Beaver Builder Plugin
The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.
PLUGIN
Beaver Builder
CVE-2025-4102
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-6257 - Euro Fxref Currency Converter Plugin
The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Euro Fxref Currency Converter
CVE-2025-6257
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-5125 - Custom Post Carousels With Owl Plugin
The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.
PLUGIN
Custom Post Carousels With Owl
CVE-2025-5125
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-5071 - Ai Engine Plugin
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.
PLUGIN
Ai Engine
CVE-2025-5071
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-5234 - Gutenverse News Plugin
The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenverse News
CVE-2025-5234
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4965 - Page Builder Plugin
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Page Builder
CVE-2025-4965
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4571 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.
PLUGIN
Givewp
CVE-2025-4571
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-5490 - Football Pool Plugin
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Football Pool
CVE-2025-5490
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-5524 - Oceanwp Theme
The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Oceanwp
CVE-2025-5524
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4479 - Elementskit Elementor Addons Plugin
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementskit Elementor Addons
CVE-2025-4479
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-4367 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Download Manager
CVE-2025-4367
Risk Score
Threat Entry
Updated 2025-06-23
CVE-2025-6201 - Tiktok And More Plugin
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in all versions up to, and including, 1.49.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tiktok And More
CVE-2025-6201
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-6220 - Ultimate Addons For Contact Form 7 Plugin
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Ultimate Addons For Contact Form 7
CVE-2025-6220
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2025-6086 - Csv Me Plugin
The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Csv Me
CVE-2025-6086
Risk Score