Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-14
CVE-2025-1437 - Advanced Iframe Plugin
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Iframe
CVE-2025-1437
Risk Score
Threat Entry
Updated 2025-05-22
CVE-2025-2257 - Total Upkeep Plugin
The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting. This is due to the plugin using the compression_level setting in proc_open() without any validation. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server.
PLUGIN
Total Upkeep
CVE-2025-2257
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2009 - Newsletters Plugin
The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Newsletters
CVE-2025-2009
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2167 - Event Post Plugin
The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Event Post
CVE-2025-2167
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13801 - Bwl Advanced Faq Manager Plugin
The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'baf_set_notice_status' AJAX action in all versions up to, and including, 2.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to '1' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to…
PLUGIN
Bwl Advanced Faq Manager
CVE-2024-13801
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1514 - Active Products Tables for WooCommerce. Use constructor to create tables Plugin
The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to unauthorized filter calling due to insufficient restrictions on the get_smth() function in all versions up to, and including, 1.0.6.7. This makes it possible for unauthenticated attackers to call arbitrary WordPress filters with a single parameter.
PLUGIN
Active Products Tables for WooCommerce. Use constructor to create tables
CVE-2025-1514
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-13702 - Crm And Lead Management By Vcita Plugin
The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Crm And Lead Management By Vcita
CVE-2024-13702
Risk Score
Threat Entry
Updated 2025-04-30
CVE-2024-13146 - Before 4 Plugin
The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack
PLUGIN
Before 4
CVE-2024-13146
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1784 - Spectra – WordPress Gutenberg Blocks Plugin
The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Spectra – WordPress Gutenberg Blocks
CVE-2025-1784
Risk Score
Threat Entry
Updated 2025-06-25
CVE-2024-11847 - Wp Svg Upload Plugin
The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.
PLUGIN
Wp Svg Upload
CVE-2024-11847
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-12683 - Smart Maintenance Mode Plugin
The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Smart Maintenance Mode
CVE-2024-12683
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2576 - Ayyash Studio — The kick-start kit Theme
The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
THEME
Ayyash Studio — The kick-start kit
CVE-2025-2576
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2573 - Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) Plugin
The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer)
CVE-2025-2573
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2165 - Sh Email Alert Plugin
The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Sh Email Alert
CVE-2025-2165
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-1490 - Smart Maintenance Mode Plugin
The Smart Maintenance Mode plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘setstatus’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Smart Maintenance Mode
CVE-2025-1490
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2302 - Advanced Woo Search Plugin
The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aws_search_terms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Woo Search
CVE-2025-2302
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2276 - Ultimate Dashboard – Custom WordPress Dashboard Plugin
The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.
PLUGIN
Ultimate Dashboard – Custom WordPress Dashboard
CVE-2025-2276
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2109 - Wp Compress Plugin
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
PLUGIN
Wp Compress
CVE-2025-2109
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2542 - Your Simple Svg Support Plugin
The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Your Simple Svg Support
CVE-2025-2542
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2635 - Digital License Manager Plugin
The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Digital License Manager
CVE-2025-2635
Risk Score