Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-21
CVE-2025-4221 - Animated Buttons Plugin
The Animated Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'auto-downloader' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Animated Buttons
CVE-2025-4221
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4219 - Dpepress Plugin
The DPEPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dpe' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dpepress
CVE-2025-4219
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4217 - Wp Youtube Video Optimizer Plugin
The WP YouTube Video Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ib_youtube' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Youtube Video Optimizer
CVE-2025-4217
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4105 - Splitit Installment Payments Plugin
The Splitit plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on several functions in the 'splitIt-flexfields-payment-gateway.php' file in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin settings, including changing the environment from sandbox to production and vice versa.
PLUGIN
Splitit Installment Payments
CVE-2025-4105
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3781 - Raisely Donation Form Plugin
The Raisely Donation Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's raisely_donation_form shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Raisely Donation Form
CVE-2025-3781
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-3750 - Network Posts Extended Plugin
The Network Posts Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_height’ parameter in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Network Posts Extended
CVE-2025-3750
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-12561 - Affiliate Sales In Google Analytics And Other Tools Plugin
The Affiliate Sales in Google Analytics and other tools plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.4.9. This is due to insufficient validation on the redirect url supplied via the 'afflink' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Affiliate Sales In Google Analytics And Other Tools
CVE-2024-12561
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4524 - Responsive And Modern Wordpress Theme For Manga Sites
The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
Responsive And Modern Wordpress Theme For Manga Sites
CVE-2025-4524
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-4094 - Wordpress Mobile Number Signup And Login Plugin
The DIGITS: WordPress Mobile Number Signup and Login WordPress plugin before 8.4.6.1 does not rate limit OTP validation attempts, making it straightforward for attackers to bruteforce them.
PLUGIN
Wordpress Mobile Number Signup And Login
CVE-2025-4094
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-5878 - Nextgen Gallery Plugin
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nextgen Gallery
CVE-2024-5878
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-4322 - Motors Theme
The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.
THEME
Motors
CVE-2025-4322
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2929 - Order Delivery Date Plugin
The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Order Delivery Date
CVE-2025-2929
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-39372 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elbisnero WordPress Events Calendar Registration & Tickets allows Reflected XSS.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.
CORE
WordPress Core
CVE-2025-39372
Risk Score
Threat Entry
Updated 2026-01-22
CVE-2025-39352 - Grand Restaurant Plugin
Missing Authorization vulnerability in ThemeGoods Grand Restaurant WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39352
Risk Score
Threat Entry
Updated 2025-05-29
CVE-2025-39348 - Grand Restaurant Plugin
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-39348
Risk Score
Threat Entry
Updated 2025-06-09
CVE-2025-32926 - Grand Restaurant Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant WordPress allows Path Traversal.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
PLUGIN
Grand Restaurant
CVE-2025-32926
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-47581 - WordPress Core
Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.
CORE
WordPress Core
CVE-2025-47581
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-39411 - Plugins Whatsapp Click To Chat
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Indie_Plugins WhatsApp Click to Chat Plugin for WordPress.This issue affects WhatsApp Click to Chat Plugin for WordPress: from n/a through 2.2.12.
PLUGIN
Plugins Whatsapp Click To Chat
CVE-2025-39411
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-39409 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pressaholic WordPress Video Robot - The Ultimate Video Importer.This issue affects WordPress Video Robot - The Ultimate Video Importer: from n/a through 1.20.0.
CORE
WordPress Core
CVE-2025-39409
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-47582 - WordPress Core
Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
CORE
WordPress Core
CVE-2025-47582
Risk Score