Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-14
CVE-2025-2166 - CM FAQ – Simplify support with an intuitive FAQ management tool Plugin
The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
CM FAQ – Simplify support with an intuitive FAQ management tool
CVE-2025-2166
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1528 - Search & Filter Pro Plugin
The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the values of arbitrary post meta.
PLUGIN
Search & Filter Pro
CVE-2025-1528
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1285 - Resido - Real Estate WordPress Theme
The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.
THEME
Resido - Real Estate WordPress Theme
CVE-2025-1285
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-0955 - Vidorev Extensions Plugin
The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.
PLUGIN
Vidorev Extensions
CVE-2025-0955
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11286 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
PLUGIN
Jobcareer
CVE-2024-11286
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11285 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11285
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11284 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
Jobcareer
CVE-2024-11284
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2024-11283 - Jobcareer Plugin
The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
PLUGIN
Jobcareer
CVE-2024-11283
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-10942 - All In One Wp Migration Plugin
The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export…
PLUGIN
All In One Wp Migration
CVE-2024-10942
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-1785 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.
PLUGIN
Download Manager
CVE-2025-1785
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-1119 - Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.8.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
CVE-2025-1119
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-1487 - Wowpth Plugin
The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wowpth
CVE-2025-1487
Risk Score
Threat Entry
Updated 2025-04-09
CVE-2025-1486 - Wowpth Plugin
The WoWPth WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wowpth
CVE-2025-1486
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-1436 - Limit Bio Plugin
The Limit Bio WordPress plugin through 1.0 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Limit Bio
CVE-2025-1436
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2025-1401 - Wp Click Info Plugin
The WP Click Info WordPress plugin through 2.7.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Wp Click Info
CVE-2025-1401
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13891 - Schedule Plugin
The Schedule WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Schedule
CVE-2024-13891
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13885 - Wp E Customers Beta Plugin
The WP e-Customers Beta WordPress plugin through 0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp E Customers Beta
CVE-2024-13885
Risk Score
Threat Entry
Updated 2025-04-29
CVE-2024-13884 - Limit Bio Plugin
The Limit Bio WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Limit Bio
CVE-2024-13884
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2025-2104 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.
PLUGIN
Pagelayer
CVE-2025-2104
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2025-1561 - Apppresser Plugin
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 4.4.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages when logging is enabled that will execute whenever a user accesses an injected page.
PLUGIN
Apppresser
CVE-2025-1561
Risk Score