Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-01
CVE-2024-13914 - File Manager Advanced Shortcode Plugin
The File Manager Advanced Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.4 (file-manager-advanced-shortcode) and 2.5.6 (advanced-file-manager-pro-premium), via the 'file_manager_advanced' shortcode. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary JavaScript files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Sites currently using 2.5.4 (file-manager-advanced-shortcode) should be updated to…
PLUGIN
File Manager Advanced Shortcode
CVE-2024-13914
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-3053 - Admin Themes And Pages Plugin
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. This is due to the function taking user supplied inputs to execute arbitrary functions with arbitrary data, and does not have any sort of capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server.
PLUGIN
Admin Themes And Pages
CVE-2025-3053
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4591 - Weluka Lite Plugin
The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Weluka Lite
CVE-2025-4591
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4589 - Bon Toolkit Plugin
The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bon Toolkit
CVE-2025-4589
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4126 - Eg Series Plugin
The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.
PLUGIN
Eg Series
CVE-2025-4126
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-3917 - Baiduseo Plugin
The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Baiduseo
CVE-2025-3917
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-4579 - Wp Content Security Policy Plugin
The WP Content Security Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Content Security Policy
CVE-2025-4579
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2025-3769 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2025-3769
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-8988 - File Uploads Plugin
The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.
PLUGIN
File Uploads
CVE-2024-8988
Risk Score
Threat Entry
Updated 2025-05-16
CVE-2024-13940 - Ninja Forms Webhooks Plugin
The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Ninja Forms Webhooks
CVE-2024-13940
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-3623 - Uncanny Automator Plugin
The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
PLUGIN
Uncanny Automator
CVE-2025-3623
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-4520 - Uncanny Automator Plugin
The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
PLUGIN
Uncanny Automator
CVE-2025-4520
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4474 - Frontend Dashboard Plugin
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.
PLUGIN
Frontend Dashboard
CVE-2025-4474
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4473 - Frontend Dashboard Plugin
The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to control where the plugin sends outgoing emails. By pointing SMTP to their own server, attackers could capture password reset emails intended for administrators, and elevate their privileges for full site takeover.
PLUGIN
Frontend Dashboard
CVE-2025-4473
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4317 - Thegem Theme
The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Thegem
CVE-2025-4317
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4339 - Thegem Theme
The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options.
THEME
Thegem
CVE-2025-4339
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-3107 - Newsletters Lite Plugin
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby' parameter in all versions up to, and including, 4.9.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Newsletters Lite
CVE-2025-3107
Risk Score
Threat Entry
Updated 2025-05-13
CVE-2025-4396 - A Better Search Plugin
The Relevanssi – A Better Search plugin for WordPress is vulnerable to time-based SQL Injection via the cats and tags query parameters in all versions up to, and including, 4.24.4 (Free) and
PLUGIN
A Better Search
CVE-2025-4396
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3649 - Lightpress Lightbox Plugin
The LightPress Lightbox WordPress plugin before 2.3.4 does not check download links point to valid, non-Javascript URLs, allowing users with at least the contributor role to conduct Stored XSS attacks.
PLUGIN
Lightpress Lightbox
CVE-2025-3649
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2025-3597 - Firelight Lightbox Plugin
The Firelight Lightbox WordPress plugin before 2.3.15 does not prevent users with post writing capabilities from executing arbitrary Javascript when the jQuery Metadata library is enabled. While this feature is meant to only be available to Pro version users, it can be activated in the free version too, making it theoretically exploitable there as well.
PLUGIN
Firelight Lightbox
CVE-2025-3597
Risk Score