Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-11
CVE-2025-28894 - This Issue Affects List Of Posts From Each Category Plugin
Cross-Site Request Forgery (CSRF) vulnerability in frucomerci List of Posts from each Category plugin for WordPress allows Stored XSS. This issue affects List of Posts from each Category plugin for WordPress: from n/a through 2.0.
PLUGIN
This Issue Affects List Of Posts From Each Category
CVE-2025-28894
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2024-13228 - Qubely Plugin
The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.
PLUGIN
Qubely
CVE-2024-13228
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13864 - Countdown Timer Plugin
The Countdown Timer WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Countdown Timer
CVE-2024-13864
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13862 - S3bubble Amazon Web Services Oembed Media Streaming Support Plugin
The S3Bubble Media Streaming (AWS|Elementor|YouTube|Vimeo Functionality) WordPress plugin through 8.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
S3bubble Amazon Web Services Oembed Media Streaming Support
CVE-2024-13862
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13836 - Wp Login Control Plugin
The WP Login Control WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Wp Login Control
CVE-2024-13836
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13853 - Seo Tools Plugin
The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Seo Tools
CVE-2024-13853
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-0629 - Coronavirus Covid 19 Notice Message Plugin
The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Coronavirus Covid 19 Notice Message
CVE-2025-0629
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13574 - Xv Random Quotes Plugin
The XV Random Quotes WordPress plugin through 1.40 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Xv Random Quotes
CVE-2024-13574
Risk Score
Threat Entry
Updated 2025-08-29
CVE-2024-13580 - Xv Random Quotes Plugin
The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack
PLUGIN
Xv Random Quotes
CVE-2024-13580
Risk Score
Threat Entry
Updated 2025-05-06
CVE-2024-13615 - Social Snap Plugin
The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Social Snap
CVE-2024-13615
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-13413 - Productdyno Plugin
The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability is potentially a duplicate of CVE-2025-22320.
PLUGIN
Productdyno
CVE-2024-13413
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-2169 - WPCS – WordPress Currency Switcher Professional Plugin
The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
WPCS – WordPress Currency Switcher Professional
CVE-2025-2169
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2025-1661 - Husky Products Filter Professional For Woocommerce Plugin
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Husky Products Filter Professional For Woocommerce
CVE-2025-1661
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-13436 - Appsero Helper Plugin
The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Appsero Helper
CVE-2024-13436
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-11638 - Before 6 Plugin
The Gtbabel WordPress plugin before 6.6.9 does not ensure that the URL to perform code analysis upon belongs to the blog which could allow unauthenticated attackers to retrieve a logged in user (such as admin) cookies by making them open a crafted URL as the request made to analysed the URL contains such cookies.
PLUGIN
Before 6
CVE-2024-11638
Risk Score
Threat Entry
Updated 2025-05-26
CVE-2025-1926 - Pagelayer Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Pagelayer
CVE-2025-1926
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-1382 - Contact Us Plugin
The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
PLUGIN
Contact Us
CVE-2025-1382
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-1363 - Url Shortener Conversion Tracking Ab Testing Woocommerce Plugin
The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Url Shortener Conversion Tracking Ab Testing Woocommerce
CVE-2025-1363
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-1362 - Url Shortener Conversion Tracking Ab Testing Woocommerce Plugin
The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
PLUGIN
Url Shortener Conversion Tracking Ab Testing Woocommerce
CVE-2025-1362
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-13924 - Starter Templates Plugin
The Starter Templates by FancyWP plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.0.0 via the 'http_request_host_is_external' filter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Starter Templates
CVE-2024-13924
Risk Score