Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-05-13
CVE-2024-10558 - Form Maker By 10web Plugin
The Form Maker by 10Web WordPress plugin before 1.15.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Form Maker By 10web
CVE-2024-10558
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1446 - Before 3 Plugin
The Pods WordPress plugin before 3.2.8.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
PLUGIN
Before 3
CVE-2025-1446
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-0718 - Nested Pages Plugin
The Nested Pages WordPress plugin before 3.2.13 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Nested Pages
CVE-2025-0718
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2186 - FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce Plugin
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to SQL Injection via the ‘automationId’ parameter in all versions up to, and including, 3.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce
CVE-2025-2186
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2577 - Bitspecter Suite Plugin
The Bitspecter Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
PLUGIN
Bitspecter Suite
CVE-2025-2577
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1971 - Import Export Wordpress Users Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'form_data' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional…
PLUGIN
Import Export Wordpress Users
CVE-2025-1971
Risk Score
Threat Entry
Updated 2025-08-11
CVE-2025-2331 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability check in the 'permissionsCheck' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including reports detailing donors and donation amounts.
PLUGIN
Givewp
CVE-2025-2331
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1973 - Import Export Wordpress Users Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.6.2 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.
PLUGIN
Import Export Wordpress Users
CVE-2025-1973
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1972 - Import Export Wordpress Users Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
PLUGIN
Import Export Wordpress Users
CVE-2025-1972
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-1970 - Import Export Wordpress Users Plugin
The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validate_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Import Export Wordpress Users
CVE-2025-1970
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2024-13666 - Conversational Form Builder Plugin
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.
PLUGIN
Conversational Form Builder
CVE-2024-13666
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2484 - Multi Video Box Plugin
The Multi Video Box plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'video_id' and 'group_id' parameters in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Multi Video Box
CVE-2025-2484
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2482 - Gotcha | Gesture-based Captcha Plugin
The Gotcha | Gesture-based Captcha plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menu' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Gotcha | Gesture-based Captcha
CVE-2025-2482
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2479 - Easy Custom Admin Bar Plugin
The Easy Custom Admin Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Easy Custom Admin Bar
CVE-2025-2479
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2303 - Block Logic – Full Gutenberg Block Display Control Plugin
The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the block_logic_check_logic function. This is due to the unsafe evaluation of user-controlled input. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
PLUGIN
Block Logic – Full Gutenberg Block Display Control
CVE-2025-2303
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-1311 - WooCommerce Multivendor Marketplace – REST API Plugin
The WooCommerce Multivendor Marketplace – REST API plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in the update_delivery_status() function in all versions up to, and including, 1.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
WooCommerce Multivendor Marketplace – REST API
CVE-2025-1311
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2024-13856 - Make Builder Plugin
The Your Friendly Drag and Drop Page Builder — Make Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.10 via the make_builder_ajax_subscribe() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Make Builder
CVE-2024-13856
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2478 - Code Clone Plugin
The Code Clone plugin for WordPress is vulnerable to time-based SQL Injection via the ‘snippetId’ parameter in all versions up to, and including, 0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Code Clone
CVE-2025-2478
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-2477 - Cryokey Plugin
The CryoKey plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ckemail’ parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Cryokey
CVE-2025-2477
Risk Score
Threat Entry
Updated 2025-03-22
CVE-2025-0807 - CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts Plugin
The CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation on the cits_settings_tab() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
CITS Support svg, webp Media and TTF,OTF File Upload, Use Custom Fonts
CVE-2025-0807
Risk Score