Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-17
CVE-2025-24651 - WordPress Core
Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3.
CORE
WordPress Core
CVE-2025-24651
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-24548 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Autoglot Autoglot – Automatic WordPress Translation allows Reflected XSS. This issue affects Autoglot – Automatic WordPress Translation: from n/a through 2.4.7.
CORE
WordPress Core
CVE-2025-24548
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-23906 - WordPress Core
Missing Authorization vulnerability in wpseek WordPress Dashboard Tweeter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Dashboard Tweeter: from n/a through 1.3.2.
CORE
WordPress Core
CVE-2025-23906
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3487 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Forminator Forms
CVE-2025-3487
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-3479 - Forminator Forms Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
PLUGIN
Forminator Forms
CVE-2025-3479
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-3453 - Password Protected Plugin
The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.
PLUGIN
Password Protected
CVE-2025-3453
Risk Score
Threat Entry
Updated 2025-04-17
CVE-2025-3615 - Fluent Forms Plugin
The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fluent Forms
CVE-2025-3615
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-3295 - Wp Editor Plugin
The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.
PLUGIN
Wp Editor
CVE-2025-3295
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13925 - Klarna Checkout For Woocommerce Plugin
The Klarna Checkout for WooCommerce WordPress plugin before 2.13.5 exposes an unauthenticated WooCommerce Ajax endpoint that allows an attacker to flood the log files with data at the maximum size allowed for a POST parameter per request. This can result in rapid consumption of disk space, potentially filling the entire disk.
PLUGIN
Klarna Checkout For Woocommerce
CVE-2024-13925
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-3294 - Wp Editor Plugin
The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.
PLUGIN
Wp Editor
CVE-2025-3294
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-1525 - Ultimate Dashboard Plugin
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ultimate Dashboard
CVE-2025-1525
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2025-1524 - Ultimate Dashboard Plugin
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ultimate Dashboard
CVE-2025-1524
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-1523 - Ultimate Dashboard Plugin
The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Ultimate Dashboard
CVE-2025-1523
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-11924 - Icegram Express Formerly Known As Email Subscribers Plugin
The Icegram Express formerly known as Email Subscribers WordPress plugin before 5.7.52 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Icegram Express Formerly Known As Email Subscribers
CVE-2024-11924
Risk Score
Threat Entry
Updated 2025-04-16
CVE-2025-39545 - WordPress Core
Missing Authorization vulnerability in miniOrange WordPress REST API Authentication allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress REST API Authentication: from n/a through 3.6.3.
CORE
WordPress Core
CVE-2025-39545
Risk Score
Threat Entry
Updated 2025-04-16
CVE-2025-3104 - Wp Staging Pro Wordpress Backup Plugin
The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticated attackers to reveal outdated installed active or inactive plugins.
PLUGIN
Wp Staging Pro Wordpress Backup
CVE-2025-3104
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3077 - Betheme
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Betheme
CVE-2025-3077
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-3247 - Contact Form 7 Plugin
The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.
PLUGIN
Contact Form 7
CVE-2025-3247
Risk Score
Threat Entry
Updated 2025-04-23
CVE-2024-10680 - Form Maker By 10web Plugin
The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Form Maker By 10web
CVE-2024-10680
Risk Score
Threat Entry
Updated 2025-04-16
CVE-2025-2314 - Profile Builder Plugin
The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully…
PLUGIN
Profile Builder
CVE-2025-2314
Risk Score