Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-28
CVE-2025-2294 - Kubio AI Page Builder Theme
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
Kubio AI Page Builder
CVE-2025-2294
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-22634 - Easy Booked – Appointment Booking and Scheduling Management System for WordPress Plugin
Cross-Site Request Forgery (CSRF) vulnerability in MD Abu Jubayer Hossain Easy Booked – Appointment Booking and Scheduling Management System for WordPress allows Cross Site Request Forgery.This issue affects Easy Booked – Appointment Booking and Scheduling Management System for WordPress: from n/a through 2.4.5.
PLUGIN
Easy Booked – Appointment Booking and Scheduling Management System for WordPress
CVE-2025-22634
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-22644 - Vayu Blocks Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through 1.2.1.
PLUGIN
Vayu Blocks
CVE-2025-22644
Risk Score
Threat Entry
Updated 2025-08-08
CVE-2025-2685 - Tablepress Plugin
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Tablepress
CVE-2025-2685
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2332 - Export All Posts, Products, Orders, Refunds & Users Plugin
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Export All Posts, Products, Orders, Refunds & Users
CVE-2025-2332
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2481 - Mediaview Plugin
The MediaView plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id' parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Mediaview
CVE-2025-2481
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-28928 - Are you robot google recaptcha for wordpress Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sureshdsk Are you robot google recaptcha for wordpress allows Reflected XSS. This issue affects Are you robot google recaptcha for wordpress: from n/a through 2.2.
PLUGIN
Are you robot google recaptcha for wordpress
CVE-2025-28928
Risk Score
Threat Entry
Updated 2025-08-09
CVE-2025-2228 - Responsive Addons For Elementor Plugin
The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.8 the 'register_user' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Edit Login | Registration Form widget, as long as that user opens the email notification for successful registration.
PLUGIN
Responsive Addons For Elementor
CVE-2025-2228
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2110 - Wp Compress Plugin
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to compromise the site in various ways depending on the specific function exploited - for example, by retrieving sensitive settings and configuration details, or by altering and deleting them, thereby disclosing sensitive information, disrupting the plugin’s functionality,…
PLUGIN
Wp Compress
CVE-2025-2110
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1912 - Product Import Export For Woocommerce Plugin
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Product Import Export For Woocommerce
CVE-2025-1912
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-1913 - Product Import Export For Woocommerce Plugin
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain…
PLUGIN
Product Import Export For Woocommerce
CVE-2025-1913
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1769 - Product Import Export For Woocommerce Plugin
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Product Import Export For Woocommerce
CVE-2025-1769
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1911 - Product Import Export For Woocommerce Plugin
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
PLUGIN
Product Import Export For Woocommerce
CVE-2025-1911
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13889 - Wordpress Importer Plugin
The WordPress Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.8.3 via deserialization of untrusted input in the 'maybe_unserialize' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…
PLUGIN
Wordpress Importer
CVE-2024-13889
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1312 - Ultimate Blocks – WordPress Blocks Plugin
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks – WordPress Blocks Plugin
CVE-2025-1312
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13411 - For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To Plugin
The Zapier for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.1 via the updated_user() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
PLUGIN
For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To
CVE-2024-13411
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1703 - Ultimate Blocks – WordPress Blocks Plugin
The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Blocks – WordPress Blocks Plugin
CVE-2025-1703
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-1439 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value . This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2025-1439
Risk Score
Threat Entry
Updated 2025-07-14
CVE-2025-1440 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data.
PLUGIN
Advanced Iframe
CVE-2025-1440
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1310 - Job Postings Plugin
The Jobs for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.7.11 via the 'job_postings_get_file' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Job Postings
CVE-2025-1310
Risk Score