7.5
CVE-2025-8416 - Product Filter by WBW <= 2.9.7 - Unauthenticated SQL Injection
The Product Filter by WBW plugin for WordPress is vulnerable to SQL Injection via the 'filtersDataBackend' parameter in all versions up to, and including, 2.9.7. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This ma…
7.5
CVE-2025-4203 - wpForo Forum <= 2.4.8 - Unauthenticated SQL Injection via get_members Function
The wpForo Forum plugin for WordPress is vulnerable to error‐based or time-based SQL Injection via the get_members() function in all versions up to, and including, 2.4.8 due to missing integer validation on the 'offset' and 'row_count' parameters. The function blindly interpolates 'row_count' into …
5.3
CVE-2025-10637 - Social Feed Gallery <= 4.9.2 - Missing Authorization to Unauthenticated Information Exposure
The Social Feed Gallery plugin for WordPress is vulnerable to Information Exposure in versions less than, or equal to, 4.9.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to exfiltrate Instagram…
6.3
CVE-2025-8483 - Discussion Board – WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcod…
The The Discussion Board – WordPress Forum Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.5.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. Thi…
7.5
CVE-2025-9322 - Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection
The Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress is vulnerable to SQL Injection via the 'wpfs-form-name' parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of…
6.4
CVE-2025-10580 - Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.1.2 - Authenticated (Contribut…
The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple functions in all versions up to, and including, 4.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticat…
4.3
CVE-2025-11255 - Password Policy Manager | Password Manager <= 2.0.5 - Missing Authorization to Authenticated (Subsc…
The Password Policy Manager | Password Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'moppm_ajax' AJAX endpoint in all versions up to, and including, 2.0.5. This makes it possible for authenticated attackers, with Subscriber…
4.3
CVE-2025-11497 - Advanced Database Cleaner <= 3.1.6 - Cross-Site Request Forgery to Settings Manipulation
The Advanced Database Cleaner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.6. This is due to missing or incorrect nonce validation on the aDBc_prepare_elements_to_clean() function. This makes it possible for unauthenticated attackers to …
6.5
CVE-2025-11893 - Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4…
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of suffi…
8.1
CVE-2025-10488 - Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.4.8 - Authentic…
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to arbitrary file move due to insufficient file path validation in the add_listing_action AJAX action in all versions up to, and including, 8.4.8. This makes it possible for unauthe…