Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-13
CVE-2025-1503 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Recipe Maker
CVE-2025-1503
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-2250 - WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins
The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins
CVE-2025-2250
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-13887 - Easy Listing Directories For Wordpress Plugin
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings.
PLUGIN
Easy Listing Directories For Wordpress
CVE-2024-13887
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-2107 - Arielbrailovsky Viralad Plugin
The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the printResultAndDie() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
PLUGIN
Arielbrailovsky Viralad
CVE-2025-2107
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-2106 - Arielbrailovsky Viralad Plugin
The ArielBrailovsky-ViralAd plugin for WordPress is vulnerable to SQL Injection via the 'text' and 'id' parameters of the limpia() function in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only appears to be exploitable on very old versions of WordPress.
PLUGIN
Arielbrailovsky Viralad
CVE-2025-2106
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2025-1559 - Cc Img Shortcode Plugin
The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cc Img Shortcode
CVE-2025-1559
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13703 - Crm And Lead Management By Vcita Plugin
The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable plugin widgets.
PLUGIN
Crm And Lead Management By Vcita
CVE-2024-13703
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1527 - Shoplentor Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shoplentor
CVE-2025-1527
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13446 - Workreap Plugin
The Workreap plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.2.5. This is due to the plugin not properly validating a user's identity prior to (1) performing a social auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account. NOTE: This vulnerability was…
PLUGIN
Workreap
CVE-2024-13446
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13430 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.
PLUGIN
Pagelayer
CVE-2024-13430
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-13838 - Uncanny Automator Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Uncanny Automator
CVE-2024-13838
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2024-12589 - Finale Plugin
The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the countdown timer in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Finale
CVE-2024-12589
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-13498 - Contact Forms And Much More Plugin
The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.
PLUGIN
Contact Forms And Much More
CVE-2024-13498
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2077 - Simple Amazon Affiliate Plugin
The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Simple Amazon Affiliate
CVE-2025-2077
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-2205 - Gdpr Cookie Compliance Plugin
The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Gdpr Cookie Compliance
CVE-2025-2205
Risk Score
Threat Entry
Updated 2025-04-02
CVE-2025-2078 - Blogbuzztime For Wp Plugin
The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Blogbuzztime For Wp
CVE-2025-2078
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-2076 - Binlayerpress Plugin
The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Binlayerpress
CVE-2025-2076
Risk Score
Threat Entry
Updated 2025-03-20
CVE-2025-1508 - Wp Crowdfunding Plugin
The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.
PLUGIN
Wp Crowdfunding
CVE-2025-1508
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1707 - Review Schema – Review & Structure Data Schema Plugin
The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
PLUGIN
Review Schema – Review & Structure Data Schema Plugin
CVE-2025-1707
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-28914 - wordpress login form to anywhere Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Sharma wordpress login form to anywhere allows Stored XSS. This issue affects wordpress login form to anywhere: from n/a through 0.2.
PLUGIN
wordpress login form to anywhere
CVE-2025-28914
Risk Score