Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-28
CVE-2025-5055 - Smart Forms Plugin
The Smart Forms – when you need more than just a contact form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.98 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Smart Forms
CVE-2025-5055
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2024-13427 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 1.9.9 and completely fixed in version 2.0.1.
PLUGIN
Drag And Drop Website Builder
CVE-2024-13427
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3869 - 4stats Plugin
The 4stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the stats/stats.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
4stats
CVE-2025-3869
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-47658 - Wsdesk Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server. This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through 3.2.7.
PLUGIN
Wsdesk
CVE-2025-47658
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-47670 - WordPress Core
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register allows PHP Local File Inclusion. This issue affects WordPress Social Login and Register: from n/a through 7.6.10.
CORE
WordPress Core
CVE-2025-47670
Risk Score
Threat Entry
Updated 2026-01-28
CVE-2025-39485 - Grand Tour Plugin
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.
PLUGIN
Grand Tour
CVE-2025-39485
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-32292 - WordPress Core
Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress allows Object Injection. This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through 1.8.11.
CORE
WordPress Core
CVE-2025-32292
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-31914 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Blind SQL Injection. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.
CORE
WordPress Core
CVE-2025-31914
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-31912 - Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. This issue affects Enzio - Responsive Business WordPress Theme: from n/a through 1.1.8.
THEME
Allows Php Local File Inclusion
CVE-2025-31912
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-31633 - Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local File Inclusion. This issue affects Kiamo - Responsive Business Service WordPress Theme: from n/a through 1.3.3.
THEME
Allows Php Local File Inclusion
CVE-2025-31633
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2025-1123 - Smtp Email And Logging Made By Solidwp Plugin
The Solid Mail – SMTP email and logging made by SolidWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email Name, Subject, and Body in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Smtp Email And Logging Made By Solidwp
CVE-2025-1123
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-5096 - Tablepress Plugin
The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tablepress
CVE-2025-5096
Risk Score
Threat Entry
Updated 2025-07-11
CVE-2025-4594 - Tournamatch Plugin
The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tournamatch
CVE-2025-4594
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4405 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Hot Random Image
CVE-2025-4405
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-4419 - Hot Random Image Plugin
The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
PLUGIN
Hot Random Image
CVE-2025-4419
Risk Score
Threat Entry
Updated 2025-05-23
CVE-2024-9544 - Mapsvg Plugin
The MapSVG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 8.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Mapsvg
CVE-2024-9544
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4133 - Before 8 Plugin
The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.
PLUGIN
Before 8
CVE-2025-4133
Risk Score
Threat Entry
Updated 2025-09-30
CVE-2025-5062 - Woocommerce Plugin
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Woocommerce
CVE-2025-5062
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4803 - Best Glossary Plugin
The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present…
PLUGIN
Best Glossary
CVE-2025-4803
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4611 - Automated Wordpress Seo Plugin
The Slim SEO – Fast & Automated WordPress SEO Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slim_seo_breadcrumbs shortcode in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Automated Wordpress Seo
CVE-2025-4611
Risk Score