Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-10
CVE-2025-3430 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'printer_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3430
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-3429 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3429
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-3428 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'coating_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3428
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-3427 - 3dprint Lite Plugin
The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
3dprint Lite
CVE-2025-3427
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2004 - Simple Wp Events Plugin
The Simple WP Events plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpe_delete_file AJAX action in all versions up to, and including, 1.8.17. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Simple Wp Events
CVE-2025-2004
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2024-13820 - Melhor Envio Cotacao Plugin
The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.9 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information.
PLUGIN
Melhor Envio Cotacao
CVE-2024-13820
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2526 - Streamit Theme
The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'st_Authentication_Controller::edit_profile' function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
THEME
Streamit
CVE-2025-2526
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2525 - Streamit Theme
The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'st_Authentication_Controller::edit_profile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Streamit
CVE-2025-2525
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2519 - Sreamit Theme
The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'st_send_download_file' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary files.
THEME
Sreamit
CVE-2025-2519
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-1264 - Broken Link Checker Seo Plugin
The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to SQL Injection via the 'orderBy' parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Broken Link Checker Seo
CVE-2025-1264
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2941 - Drag And Drop Multiple File Upload For Woocommerce Plugin
The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the wc-upload-file[] parameter in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php).
PLUGIN
Drag And Drop Multiple File Upload For Woocommerce
CVE-2025-2941
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-0839 - Zoomsounds Plugin
The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zoomsounds
CVE-2025-0839
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2025-2789 - Multivendorx Plugin
The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19. This makes it possible for unauthenticated attackers to delete Table Rates that can impact the shipping cost calculations.
PLUGIN
Multivendorx
CVE-2025-2789
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-1233 - Lafka Plugin
The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site.
PLUGIN
Lafka
CVE-2025-1233
Risk Score
Threat Entry
Updated 2025-06-04
CVE-2024-13776 - Zoomsounds Plugin
The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
PLUGIN
Zoomsounds
CVE-2024-13776
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2933 - Email Notifications For Updates Plugin
The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Email Notifications For Updates
CVE-2025-2933
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-0810 - Expand Maker Plugin
The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Expand Maker
CVE-2025-0810
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2544 - Ai Content Pipelines Plugin
The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Ai Content Pipelines
CVE-2025-2544
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-13604 - Kb Support Plugin
The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
PLUGIN
Kb Support
CVE-2024-13604
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2889 - Link Library Plugin
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Link Library
CVE-2025-2889
Risk Score