VulnTitan

VulnTitan

The WordPress Vulnerability Index

πŸ’‘ Did you know?

You can scan your WordPress site in real-time with the VulnTitan Free Plugin. Need scheduled scans, email alerts, and smart patch suggestions? Upgrade to VulnTitan Pro.

πŸ›‘οΈ Latest Vulnerabilities

  • The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.

    πŸ—“οΈ Published: Jun 20, 2025 🧩 Slug: interactive-3d-flipbook-powered-physics-engine πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-5289
    ⚠️ Affected Versions: β‰₯ * & ≀ 1.16.15
    βœ… Patched in: 1.16.16
  • The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 20, 2025 🧩 Slug: posts-table-filterable πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-5143
    ⚠️ Affected Versions: β‰₯ * & ≀ 1.0.4.1
    βœ… Patched in: 1.0.4.2
  • The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 19, 2025 🧩 Slug: euro-fxref-currency-converter πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-6257
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.0.2
    βœ… Patched in: 2.0.3
  • The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1.

    πŸ—“οΈ Published: Jun 19, 2025 🧩 Slug: bb-plugin πŸ“Š CVSS: 7.2/10 πŸ›‘οΈ CVE: CVE-2025-4102
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.9.1
    βœ… Patched in: 2.9.1.1
  • The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: gutenverse-news πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-5234
    ⚠️ Affected Versions: β‰₯ * & ≀ 1.0.4
    βœ… Patched in: 2.0.0
  • The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck functions in all versions up to, and including, 4.3.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to view or delete fundraising campaigns, view donors' data, modify campaign events, etc.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: give πŸ“Š CVSS: 5.4/10 πŸ›‘οΈ CVE: CVE-2025-4571
    ⚠️ Affected Versions: β‰₯ * & ≀ 4.3.0
    βœ… Patched in: 4.3.1
  • The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: football-pool πŸ“Š CVSS: 5.5/10 πŸ›‘οΈ CVE: CVE-2025-5490
    ⚠️ Affected Versions: β‰₯ * & ≀ 2.12.4
    ❌ Not patched
  • The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: oceanwp πŸ“Š CVSS: 4.9/10 πŸ›‘οΈ CVE: CVE-2025-5524
    ⚠️ Affected Versions: β‰₯ * & ≀ 4.0.9
    βœ… Patched in: 4.1.0
  • The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: download-manager πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-4367
    ⚠️ Affected Versions: β‰₯ * & ≀ 3.3.18
    βœ… Patched in: 3.3.19
  • The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    πŸ—“οΈ Published: Jun 18, 2025 🧩 Slug: elementskit-lite πŸ“Š CVSS: 6.4/10 πŸ›‘οΈ CVE: CVE-2025-4479
    ⚠️ Affected Versions: β‰₯ * & ≀ 3.5.2
    βœ… Patched in: 3.5.3