Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-12-15
CVE-2024-9416 - Modula Image Gallery Plugin
The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions
PLUGIN
Modula Image Gallery
CVE-2024-9416
Risk Score
Threat Entry
Updated 2025-05-15
CVE-2025-2299 - Luckywp Table Of Contents Plugin
The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Luckywp Table Of Contents
CVE-2025-2299
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2874 - Enable Users To Submit Posts From The Front End Plugin
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Enable Users To Submit Posts From The Front End
CVE-2025-2874
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2025-1663 - Unlimited Elements For Elementor Plugin
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Unlimited Elements For Elementor
CVE-2025-1663
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2024-13673 - Big Boom Directory Plugin
The Big Boom Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bbd-search' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Big Boom Directory
CVE-2024-13673
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-2055 - Mappress Maps For Plugin
The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.
PLUGIN
Mappress Maps For
CVE-2025-2055
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-3099 - Advanced Search By My Solr Server Plugin
The Advanced Search by My Solr Server plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the 'MySolrServerSettings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Advanced Search By My Solr Server
CVE-2025-3099
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-3098 - Video Sidebar Widget Plugin
The Video Url plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Video Sidebar Widget
CVE-2025-3098
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2025-2005 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Front End Users
CVE-2025-2005
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-3063 - Shopperapproved Reviews Plugin
The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Shopperapproved Reviews
CVE-2025-3063
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2513 - Smart Icons For Wordpress Plugin
The Smart Icons For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Smart Icons For Wordpress
CVE-2025-2513
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-3097 - Wp Time Machine Plugin
The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Time Machine
CVE-2025-3097
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2483 - Gift Certificate Creator Plugin
The Gift Certificate Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘receip_address’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gift Certificate Creator
CVE-2025-2483
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13637 - Demo Awesome Plugin
The Demo Awesome plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin function in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins..
PLUGIN
Demo Awesome
CVE-2024-13637
Risk Score
Threat Entry
Updated 2025-08-12
CVE-2024-12410 - Front End Users Plugin
The Front End Users plugin for WordPress is vulnerable to SQL Injection via the 'UserSearchField' parameter in all versions up to, and including, 3.2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Front End Users
CVE-2024-12410
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2779 - Insert Headers And Footers Script Plugin
The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true,…
PLUGIN
Insert Headers And Footers Script
CVE-2025-2779
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-31441 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in S WordPress Galleria allows Reflected XSS. This issue affects WordPress Galleria: from n/a through 1.4.
CORE
WordPress Core
CVE-2025-31441
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31848 - WordPress Core
Missing Authorization vulnerability in WPFactory WordPress Adverts Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Adverts Plugin: from n/a through 1.4.
CORE
WordPress Core
CVE-2025-31848
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31846 - WordPress Core
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Theater for WordPress: from n/a through 0.18.7.
CORE
WordPress Core
CVE-2025-31846
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31843 - WooCommerce Plugin
Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through 2.1.5.
PLUGIN
WooCommerce
CVE-2025-31843
Risk Score