Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-0678 - Flat Shipping Rate By City For Woocommerce Plugin
The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Flat Shipping Rate By City For Woocommerce
CVE-2026-0678
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0680 - Real Post Slider Lite Plugin
The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Real Post Slider Lite
CVE-2026-0680
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0635 - Responsive Accordion Slider Plugin
The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify any slider's image metadata including titles, descriptions, alt text, and links.
PLUGIN
Responsive Accordion Slider
CVE-2026-0635
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15378 - Ajs Footnotes Plugin
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to update plugin settings and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ajs Footnotes
CVE-2025-15378
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15283 - Name Directory Plugin
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Name Directory
CVE-2025-15283
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0594 - List Site Contributors Plugin
The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
List Site Contributors
CVE-2026-0594
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15486 - Kunze Law Plugin
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Additional presence of a path…
PLUGIN
Kunze Law
CVE-2025-15486
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15377 - Sosh Share Buttons Plugin
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Sosh Share Buttons
CVE-2025-15377
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15266 - Geeky Bot Plugin
The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page.
PLUGIN
Geeky Bot
CVE-2025-15266
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14615 - Dashboard Builder Plugin
The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauthenticated attackers to modify the stored SQL query and database credentials used by the [show-dashboardbuilder] shortcode via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The modified SQL query is subsequently executed on…
PLUGIN
Dashboard Builder
CVE-2025-14615
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15020 - Gotham Block Extra Light Plugin
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Gotham Block Extra Light
CVE-2025-15020
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14854 - Wp Crm System Plugin
The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with subscriber level access and above, to enumerate CRM contact email addresses (PII disclosure) and modify CRM task statuses.
PLUGIN
Wp Crm System
CVE-2025-14854
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14880 - Netcash Pay Now Payment Gateway For Woocommerce Plugin
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed.
PLUGIN
Netcash Pay Now Payment Gateway For Woocommerce
CVE-2025-14880
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15021 - Gotham Block Extra Light Plugin
The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Gotham Block Extra Light
CVE-2025-15021
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14725 - Internal Link Builder Plugin
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Internal Link Builder
CVE-2025-14725
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14502 - News And Blog Designer Bundle Plugin
The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
News And Blog Designer Bundle
CVE-2025-14502
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14613 - Getcontentfromurl Plugin
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Getcontentfromurl
CVE-2025-14613
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14464 - Pdf Resume Parser Plugin
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.
PLUGIN
Pdf Resume Parser
CVE-2025-14464
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14379 - Testimonials Creator Plugin
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Testimonials Creator
CVE-2025-14379
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-14482 - Crush Pics Plugin
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
PLUGIN
Crush Pics
CVE-2025-14482
Risk Score