Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-26
CVE-2025-10484 - Login With Mobile Phone Number For Woocommerce Plugin
The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.
PLUGIN
Login With Mobile Phone Number For Woocommerce
CVE-2025-10484
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14478 - Demo Importer Plus Plugin
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
PLUGIN
Demo Importer Plus
CVE-2025-14478
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12129 - All In One Dynamic Content Framework Plugin
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
All In One Dynamic Content Framework
CVE-2025-12129
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0833 - Team Section Plugin
The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Team Section
CVE-2026-0833
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0808 - Spin Wheel – Interactive spinning wheel that offers coupons Theme
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
THEME
Spin Wheel – Interactive spinning wheel that offers coupons
CVE-2026-0808
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0691 - CM E-Mail Blacklist – Simple email filtering for safer registration Plugin
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
CM E-Mail Blacklist – Simple email filtering for safer registration
CVE-2026-0691
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12984 - Advanced Ads Plugin
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Advanced Ads
CVE-2025-12984
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14029 - Community Events Plugin
The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.
PLUGIN
Community Events
CVE-2025-14029
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12825 - User Registration Using Contact Form 7 Plugin
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.
PLUGIN
User Registration Using Contact Form 7
CVE-2025-12825
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12168 - Phrase Tms Integration For Wordpress Plugin
The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
PLUGIN
Phrase Tms Integration For Wordpress
CVE-2025-12168
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0820 - Computer Repair Shop Plugin
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.
PLUGIN
Computer Repair Shop
CVE-2026-0820
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14463 - Wp Paypal Plugin
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation.…
PLUGIN
Wp Paypal
CVE-2025-14463
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0682 - Church Admin Plugin
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Church Admin
CVE-2026-0682
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-13725 - Thim Blocks Plugin
The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.
PLUGIN
Thim Blocks
CVE-2025-13725
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15403 - Custom Registration Form Builder With Submission Manager Plugin
The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further…
PLUGIN
Custom Registration Form Builder With Submission Manager
CVE-2025-15403
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14450 - Wallet System For Woocommerce Plugin
The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.
PLUGIN
Wallet System For Woocommerce
CVE-2025-14450
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12718 - Quick Contact Form Plugin
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
PLUGIN
Quick Contact Form
CVE-2025-12718
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14075 - Wp Hotel Booking Plugin
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
PLUGIN
Wp Hotel Booking
CVE-2025-14075
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14632 - Filr Protection Plugin
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
PLUGIN
Filr Protection
CVE-2025-14632
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12002 - Feeds For Youtube Plugin
The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version…
PLUGIN
Feeds For Youtube
CVE-2025-12002
Risk Score