CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2025/10/15 8:25 a.m.•15 views

CVE-2025-10575

CVE-2025-10575 : WordPress plugin WP jQuery Pager contains an SQL Injection via the ids shortcode attribute, handled by WPJqueryPaged::get_gallery_page_imgs(). Affected in all versions up to and including 1.4.0 due to insufficient escaping and lack of prepared statements. Exploitation requires au...

6.5CVSS6.1AI score0.00252EPSS

Vulnrichment•added 2025/10/15 8:25 a.m.•1 views

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::getgallerypageimgs function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of...

6.5CVSS6.1AI score0.00252EPSS

Cvelist•added 2025/10/15 8:25 a.m.•8 views

CVE-2025-10575 WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode

6.5CVSS0.00252EPSS

EUVD•added 2025/10/15 8:25 a.m.•3 views

EUVD-2025-34565

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

6.5CVSS6.1AI score0.00252EPSS

CVE•added 2025/10/15 8:25 a.m.•14 views

CVE-2025-10730

The CVE-2025-10730 entry concerns the WordPress plugin Wp tabber widget. Public details confirm an SQL Injection flaw in all versions up to 4.0 via the wp-tabber-widget shortcode, enabling authenticated attackers with Contributor-level access and above to append SQL statements to existing queries...

6.5CVSS6.2AI score0.00252EPSS

Cvelist•added 2025/10/15 8:25 a.m.•6 views

CVE-2025-10730 Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection

6.5CVSS0.00252EPSS

CVE•added 2025/10/15 8:25 a.m.•10 views

CVE-2025-10139

CVE-2025-10139 concerns the WordPress plugin WP BookWidgets. According to Wordfence, it is vulnerable to a stored cross-site scripting (XSS) condition via the plugin’s bw_link shortcode in versions up to and including 0.9, caused by insufficient input sanitization and output escaping of user-supp...

6.4CVSS4.7AI score0.00276EPSS

Exploits0References4

CVE•added 2025/10/15 6:43 a.m.•14 views

CVE-2025-11161

CVE-2025-11161 affects the WPBakery Page Builder plugin for WordPress (versions up to 8.6.1). The vulnerability is a Stored Cross-Site Scripting (XSS) in the vc_custom_heading shortcode due to insufficient restriction of allowed HTML tags and improper sanitization of font_container attributes. Th...

6.4CVSS4.6AI score0.00194EPSS

Exploits0References2Affected Software1

EUVD•added 2025/10/15 6:43 a.m.•5 views

EUVD-2025-34533

The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the vccustomheading shortcode in all versions up to, and including, 8.6.1. This is due to insufficient restriction of allowed HTML tags and improper sanitization of user-supplied attributes in the...

6.4CVSS4.5AI score0.00194EPSS

Vulnrichment•added 2025/10/15 6:43 a.m.•2 views

CVE-2025-11161 WPBakery Page Builder <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode

6.4CVSS4.6AI score0.00194EPSS

NVD•added 2025/10/15 6:15 a.m.•3 views

CVE-2025-8561

The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

6.4CVSS0.00211EPSS

NVD•added 2025/10/15 6:15 a.m.•5 views

CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

5.5CVSS0.0024EPSS

Cvelist•added 2025/10/15 6:0 a.m.•5 views

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

0.0024EPSS

Vulnrichment•added 2025/10/15 6:0 a.m.•2 views

CVE-2025-10406 BlindMatrix e-Commerce < 3.1 - Contributor+ LFI

6.2AI score0.0024EPSS

EUVD•added 2025/10/15 6:0 a.m.•3 views

EUVD-2025-34519

5.5CVSS6.2AI score0.0024EPSS

CVE•added 2025/10/15 6:0 a.m.•15 views

CVE-2025-10406

CVE-2025-10406 affects the BlindMatrix e-Commerce WordPress plugin. The vulnerability arises from unvalidated shortcode attributes that are used to build file includes, enabling Local File Inclusion (LFI) when exploited by authenticated users (e.g., contributors). The issue is triggered by genera...

5.5CVSS6.2AI score0.0024EPSS

Patchstack•added 2025/10/15 12:33 a.m.•3 views

WordPress Shortcode Button plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Shortcode Button versions = 1.1.9...

6.4CVSS5.7AI score0.00265EPSS

Exploits0References1Affected Software1

Patchstack•added 2025/10/15 12:22 a.m.•5 views

WordPress WPBakery Page Builder plugin <= 8.6.1 - Stored Cross-Site Scripting via vc_custom_heading Shortcode vulnerability

Stored Cross-Site Scripting via vccustomheading Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WPBakery Page Builder versions = 8.6.1...

6.4CVSS5.6AI score0.00194EPSS

Exploits0References1Affected Software1

CNNVD•added 2025/10/15 12:0 a.m.•3 views

WordPress plugin WP Google Map Plugin SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. WordPress...

6.5CVSS7.5AI score0.00252EPSS