Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-02
CVE-2024-12023 - Full Customer Plugin
The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro…
PLUGIN
Full Customer
CVE-2024-12023
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-4179 - Flynax Bridge Plugin
The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors.
PLUGIN
Flynax Bridge
CVE-2025-4179
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-4131 - Gmapsmania Plugin
The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gmapsmania
CVE-2025-4131
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-4177 - Flynax Bridge Plugin
The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
PLUGIN
Flynax Bridge
CVE-2025-4177
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-3746 - Otp Less One Tap Sign In Plugin
The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
PLUGIN
Otp Less One Tap Sign In
CVE-2025-3746
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-3670 - Kiwichat Nextclient Plugin
The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Kiwichat Nextclient
CVE-2025-3670
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-2880 - Yame Linkinbio Plugin
The Yame | Link In Bio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.9.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
PLUGIN
Yame Linkinbio
CVE-2025-2880
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3874 - Wordpress Simple Paypal Shopping Cart Plugin
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.
PLUGIN
Wordpress Simple Paypal Shopping Cart
CVE-2025-3874
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3890 - Wordpress Simple Paypal Shopping Cart Plugin
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wordpress Simple Paypal Shopping Cart
CVE-2025-3890
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3889 - Wordpress Simple Paypal Shopping Cart Plugin
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity.
PLUGIN
Wordpress Simple Paypal Shopping Cart
CVE-2025-3889
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-1529 - Am Lottieplayer Plugin
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Am Lottieplayer
CVE-2025-1529
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-4100 - Nautic Pages Plugin
The Nautic Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'np_marinetraffic_map' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nautic Pages
CVE-2025-4100
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-3521 - Wps Team Plugin
The Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social Link icons in all versions up to, and including, 3.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wps Team
CVE-2025-3521
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3504 - Before 4 Plugin
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2025-3504
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3503 - Before 4 Plugin
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2025-3503
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2025-3502 - Before 4 Plugin
The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 4
CVE-2025-3502
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2024-13381 - Calculated Fields Form Plugin
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Calculated Fields Form
CVE-2024-13381
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-3952 - Projectopia Plugin
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'pto_remove_logo' function in all versions up to, and including, 5.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
PLUGIN
Projectopia
CVE-2025-3952
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2025-4099 - List Children Plugin
The List Children plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'list_children' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
List Children
CVE-2025-4099
Risk Score
Threat Entry
Updated 2025-05-19
CVE-2024-13845 - Gravity Forms Webhooks Plugin
The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Gravity Forms Webhooks
CVE-2024-13845
Risk Score