Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-02
CVE-2025-1621 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1621
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1620 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1620
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1619 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1619
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13602 - Before 5 Plugin
The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Before 5
CVE-2024-13602
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-1622 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Gdpr Cookie Compliance
CVE-2025-1622
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2024-13126 - Download Manager Plugin
The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.
PLUGIN
Download Manager
CVE-2024-13126
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-2025 - Givewp Plugin
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
PLUGIN
Givewp
CVE-2025-2025
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-1530 - Tripetto Plugin
The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tripetto
CVE-2025-1530
Risk Score
Threat Entry
Updated 2025-03-25
CVE-2025-2325 - Wp Test Email Plugin
The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Test Email
CVE-2025-2325
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1771 - Traveler Plugin
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Traveler
CVE-2025-1771
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1773 - Traveler Plugin
The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Traveler
CVE-2025-1773
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-13497 - Tripetto Plugin
The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and including, 8.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the uploaded file.
PLUGIN
Tripetto
CVE-2024-13497
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2267 - Wp01 Plugin
The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the make_archive() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp01
CVE-2025-2267
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2164 - Pixelstats Plugin
The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Pixelstats
CVE-2025-2164
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2163 - Zoorum Comments Plugin
The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zoorum Comments
CVE-2025-2163
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1667 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to update arbitrary user details including email which makes it possible to request a password reset and access arbitrary user accounts, including administrators.
PLUGIN
Wpschoolpress
CVE-2025-1667
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1670 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpschoolpress
CVE-2025-1670
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1669 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'addNotify' action in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with teacher-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wpschoolpress
CVE-2025-1669
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1668 - Wpschoolpress Plugin
The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.
PLUGIN
Wpschoolpress
CVE-2025-1668
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-12336 - Wc Affiliate Plugin
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).
PLUGIN
Wc Affiliate
CVE-2024-12336
Risk Score