Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-01
CVE-2025-31776 - This Issue Affects Uptime Robot Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Aphotrax Uptime Robot Plugin for WordPress allows Cross Site Request Forgery. This issue affects Uptime Robot Plugin for WordPress: from n/a through 2.3.
PLUGIN
This Issue Affects Uptime Robot
CVE-2025-31776
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31735 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in C. Johnson Footnotes for WordPress allows Stored XSS. This issue affects Footnotes for WordPress: from n/a through 2016.1230.
CORE
WordPress Core
CVE-2025-31735
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2237 - Wp Realestate Plugin
The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
PLUGIN
Wp Realestate
CVE-2025-2237
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2906 - Contempo Real Estate Core Plugin
The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Contempo Real Estate Core
CVE-2025-2906
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-13553 - Sms Alert Order Notifications Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
PLUGIN
Sms Alert Order Notifications
CVE-2024-13553
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2891 - Real Estate 7 Wordpress Theme
The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled.
THEME
Real Estate 7 Wordpress
CVE-2025-2891
Risk Score
Threat Entry
Updated 2025-04-10
CVE-2024-12278 - Booster For Woocommerce Plugin
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via any location that typically sanitizes data using wp_kses, like comments, in all versions up to, and including, 7.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Booster For Woocommerce
CVE-2024-12278
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-1512 - Elementor Plugin
The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Elementor
CVE-2025-1512
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-12189 - Wdesignkit Plugin
The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom widgets in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wdesignkit
CVE-2024-12189
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-1267 - Groundhogg Plugin
The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Groundhogg
CVE-2025-1267
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-30796 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended allows Reflected XSS. This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through 3.0.14.
CORE
WordPress Core
CVE-2025-30796
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-30559 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Kento WordPress Stats allows Stored XSS. This issue affects Kento WordPress Stats: from n/a through 1.1.
CORE
WordPress Core
CVE-2025-30559
Risk Score
Threat Entry
Updated 2025-06-12
CVE-2025-2048 - Lana Downloads Manager Plugin
The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server
PLUGIN
Lana Downloads Manager
CVE-2025-2048
Risk Score
Threat Entry
Updated 2025-05-28
CVE-2025-1986 - Before 3 Plugin
The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-1986
Risk Score
Threat Entry
Updated 2025-04-14
CVE-2025-1665 - Avada Builder Plugin
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Avada Builder
CVE-2025-1665
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2024-13567 - Awesome Support Plugin
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/awesome-support directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 6.3.1.
PLUGIN
Awesome Support
CVE-2024-13567
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2008 - Import Export Suite For Csv And Xml Datafeed Plugin
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Import Export Suite For Csv And Xml Datafeed
CVE-2025-2008
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2007 - Import Export Suite For Csv And Xml Datafeed Plugin
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Import Export Suite For Csv And Xml Datafeed
CVE-2025-2007
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31616 - WordPress Core
Cross-Site Request Forgery (CSRF) vulnerability in AdminGeekZ Varnish WordPress allows Cross Site Request Forgery. This issue affects Varnish WordPress: from n/a through 1.7.
CORE
WordPress Core
CVE-2025-31616
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31597 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in crazycric Ultimate Live Cricket WordPress Lite allows Stored XSS. This issue affects Ultimate Live Cricket WordPress Lite: from n/a through 1.4.2.
CORE
WordPress Core
CVE-2025-31597
Risk Score