Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-19
CVE-2025-4389 - Crawlomatic Multipage Scraper Post Generator Plugin
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Crawlomatic Multipage Scraper Post Generator
CVE-2025-4389
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-3812 - Wpbot Pro Wordpress Chatbot Plugin
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wpbot Pro Wordpress Chatbot
CVE-2025-3812
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-4190 - Csv Mass Importer Plugin
The CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
PLUGIN
Csv Mass Importer
CVE-2025-4190
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-4194 - Alt Monitoring Plugin
The AlT Monitoring plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'ALT_Monitoring_edit' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Alt Monitoring
CVE-2025-4194
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-4189 - Audio Comments Plugin
The Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Audio Comments
CVE-2025-4189
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-47556 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.5.
CORE
WordPress Core
CVE-2025-47556
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-47534 - WordPress Core
Missing Authorization vulnerability in ValvePress Wordpress Auto Spinner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wordpress Auto Spinner: from n/a through 3.25.0.
CORE
WordPress Core
CVE-2025-47534
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-32306 - Allows Blind Sql Injection Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Radio Player Shoutcast & Icecast WordPress Plugin allows Blind SQL Injection. This issue affects Radio Player Shoutcast & Icecast WordPress Plugin: from n/a through 4.4.6.
PLUGIN
Allows Blind Sql Injection
CVE-2025-32306
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-32295 - Salon Booking Pro Plugin
Missing Authorization vulnerability in wordpresschef Salon Booking Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Salon Booking Pro: from n/a through 10.10.2.
PLUGIN
Salon Booking Pro
CVE-2025-32295
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31922 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Stored XSS. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0.
CORE
WordPress Core
CVE-2025-31922
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31923 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs CSS3 Accordions for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Accordions for WordPress: from n/a through 3.0.
CORE
WordPress Core
CVE-2025-31923
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-32180 - WordPress Core
Missing Authorization vulnerability in QuanticaLabs CSS3 Tooltips for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Tooltips for WordPress: from n/a through 1.8.
CORE
WordPress Core
CVE-2025-32180
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31640 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress allows SQL Injection. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through 1.4.
CORE
WordPress Core
CVE-2025-31640
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-31915 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Cross Site Request Forgery. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.
CORE
WordPress Core
CVE-2025-31915
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2025-3516 - Simple Lightbox Plugin
The Simple Lightbox WordPress plugin before 2.9.4 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
Simple Lightbox
CVE-2025-3516
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2025-3201 - Drop For Wordpress Plugin
The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.
PLUGIN
Drop For Wordpress
CVE-2025-3201
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4169 - Unmaintained Plugin
The Posts per Cat [Unmaintained plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ppc' shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unmaintained
CVE-2025-4169
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2248 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Wp Pmanager
CVE-2025-2248
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2203 - Before 3 Plugin
The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-2203
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2247 - Wp Pmanager Plugin
The WP-PManager WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
PLUGIN
Wp Pmanager
CVE-2025-2247
Risk Score