Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-26
CVE-2025-14745 - And Autoblogging Plugin
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
And Autoblogging
CVE-2025-14745
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0927 - Kivicare Clinic Management System Plugin
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.
PLUGIN
Kivicare Clinic Management System
CVE-2026-0927
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14069 - Schema And Structured Data For Wp Plugin
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Schema And Structured Data For Wp
CVE-2025-14069
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15522 - Uncanny Automator Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.
PLUGIN
Uncanny Automator
CVE-2025-15522
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-66428 - WordPress Core
An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation.
CORE
WordPress Core
CVE-2025-66428
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24390 - Elementor Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.
PLUGIN
Elementor
CVE-2026-24390
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24389 - Gallery PhotoBlocks Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS.This issue affects Gallery PhotoBlocks: from n/a through
PLUGIN
Gallery PhotoBlocks
CVE-2026-24389
Risk Score
Threat Entry
Updated 2026-01-27
CVE-2026-24383 - B Slider Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through
PLUGIN
B Slider
CVE-2026-24383
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24384 - Merge + Minify + Refresh Plugin
Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through
PLUGIN
Merge + Minify + Refresh
CVE-2026-24384
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24381 - PhotoMe Plugin
Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery.This issue affects PhotoMe: from n/a through < 5.7.2.
PLUGIN
PhotoMe
CVE-2026-24381
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24388 - WPMasterToolKit Plugin
Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPMasterToolKit: from n/a through
PLUGIN
WPMasterToolKit
CVE-2026-24388
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24387 - WP Quick Post Duplicator Plugin
Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through
PLUGIN
WP Quick Post Duplicator
CVE-2026-24387
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24386 - Elementor Plugin
Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24386
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24371 - BA Book Everything Plugin
Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BA Book Everything: from n/a through
PLUGIN
BA Book Everything
CVE-2026-24371
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24379 - WP Job Portal Plugin
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through
PLUGIN
WP Job Portal
CVE-2026-24379
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24380 - EventPrime Plugin
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through
PLUGIN
EventPrime
CVE-2026-24380
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24368 - The Grid Plugin
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
PLUGIN
The Grid
CVE-2026-24368
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24367 - Traveler Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8.
PLUGIN
Traveler
CVE-2026-24367
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24377 - Nexter Blocks Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through
PLUGIN
Nexter Blocks
CVE-2026-24377
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24374 - RegistrationMagic Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery.This issue affects RegistrationMagic: from n/a through
PLUGIN
RegistrationMagic
CVE-2026-24374
Risk Score