Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-11
CVE-2025-3102 - All In One Automation Platform Plugin
The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78. This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key.
PLUGIN
All In One Automation Platform
CVE-2025-3102
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-32597 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in George Sexton WordPress Events Calendar Plugin – connectDaily allows Cross-Site Scripting (XSS). This issue affects WordPress Events Calendar Plugin – connectDaily: from n/a through 1.4.8.
CORE
WordPress Core
CVE-2025-32597
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-32581 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ankit Singla WordPress Spam Blocker allows Stored XSS. This issue affects WordPress Spam Blocker: from n/a through 2.0.4.
CORE
WordPress Core
CVE-2025-32581
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-31035 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md – The Perfect WordPress Markdown Editor allows Stored XSS. This issue affects WP Editor.md – The Perfect WordPress Markdown Editor: from n/a through 10.2.1.
CORE
WordPress Core
CVE-2025-31035
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2024-8243 - Wordpress Plugin Upgrade Time Out
The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Wordpress Plugin Upgrade Time Out
CVE-2024-8243
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2024-6860 - Wp Multitasking Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack
PLUGIN
Wp Multitasking
CVE-2024-6860
Risk Score
Threat Entry
Updated 2025-04-22
CVE-2024-6857 - Wp Multitasking Plugin
The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack
PLUGIN
Wp Multitasking
CVE-2024-6857
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-3100 - Wp Project Manager Plugin
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping in tasks discussion. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Wp Project Manager
CVE-2025-3100
Risk Score
Threat Entry
Updated 2025-07-17
CVE-2025-2876 - Melapress Login Security Plugin
The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user.
PLUGIN
Melapress Login Security
CVE-2025-2876
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2568 - Vayu Blocks Plugin
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.
PLUGIN
Vayu Blocks
CVE-2025-2568
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2883 - Accept Sagepay Payments Using Contact Form 7 Plugin
The Accept SagePay Payments Using Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
PLUGIN
Accept Sagepay Payments Using Contact Form 7
CVE-2025-2883
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-3437 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2025-3437
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2808 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2025-2808
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2807 - Motors Car Dealer Classifieds Listing Plugin
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
PLUGIN
Motors Car Dealer Classifieds Listing
CVE-2025-2807
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-3436 - Activity Logging For Wordpress Plugin
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Activity Logging For Wordpress
CVE-2025-3436
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-3064 - Wpfront User Role Editor Plugin
The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
PLUGIN
Wpfront User Role Editor
CVE-2025-3064
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-3432 - Aawp Obfuscator Plugin
The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Aawp Obfuscator
CVE-2025-3432
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-3433 - Advanced Advertising System Plugin
The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
PLUGIN
Advanced Advertising System
CVE-2025-3433
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-3431 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Zoomsounds
CVE-2025-3431
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2882 - Green Money Payment Gateway Plugin
The GreenPay(tm) by Green.Money plugin for WordPress is vulnerable to Sensitive Information Exposure in versions between 3.0.0 and 3.0.9 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
PLUGIN
Green Money Payment Gateway
CVE-2025-2882
Risk Score