Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 8397 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2023-23985	2 Ays-pro, Wordpress	2 Quiz Maker, Wordpress	2025-12-31	3.7 Low
Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4.
CVE-2025-60089	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Freshdesk Plugin, Wp Gravity Forms Freshdesk Plugin, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
CVE-2025-60090	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Insightly, Wp Gravity Forms Insightly, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.
CVE-2025-60091	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Zoho Crm And Bigin, Wp Gravity Forms Zoho Crm And Bigin, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.
CVE-2025-60174	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Constant Contact Plugin, Wp Gravity Forms Constant Contact Plugin, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2.
CVE-2025-60178	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Hubspot, Wp Gravity Forms Hubspot, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.
CVE-2025-60180	3 Crm Perks, Crmperks, Wordpress	3 Wp Gravity Forms Hubspot, Wp Gravity Forms Salesforce, Wordpress	2025-12-31	9.8 Critical
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.
CVE-2025-68870	1 Wordpress	1 Wordpress	2025-12-31	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0.
CVE-2025-68877	1 Wordpress	1 Wordpress	2025-12-31	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CedCommerce CedCommerce Integration for Good Market allows PHP Local File Inclusion.This issue affects CedCommerce Integration for Good Market: from n/a through 1.0.6.
CVE-2025-68879	1 Wordpress	1 Wordpress	2025-12-31	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Councilsoft Content Grid Slider allows Reflected XSS.This issue affects Content Grid Slider: from n/a through 1.5.
CVE-2025-68876	1 Wordpress	1 Wordpress	2025-12-31	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through 1.0.8.
CVE-2025-68868	1 Wordpress	1 Wordpress	2025-12-31	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeaffairs Wp Text Slider Widget allows Stored XSS.This issue affects Wp Text Slider Widget: from n/a through 1.0.
CVE-2025-68878	1 Wordpress	1 Wordpress	2025-12-31	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasadkirpekar Advanced Custom CSS allows Reflected XSS.This issue affects Advanced Custom CSS: from n/a through 1.1.0.
CVE-2025-68897	1 Wordpress	1 Wordpress	2025-12-31	9.9 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Mohammad I. Okfie IF AS Shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through 1.2.
CVE-2025-68861	2 Plugin Optimizer, Wordpress	2 Plugin Optimizer, Wordpress	2025-12-31	7.1 High
Missing Authorization vulnerability in Plugin Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin Optimizer: from n/a through 1.3.7.
CVE-2025-68893	2 Hetworks, Wordpress	2 Wordpress Image Shrinker, Wordpress	2025-12-31	4.9 Medium
Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0.
CVE-2025-68494	2 Leap13, Wordpress	2 Premium Addons For Elementor, Wordpress	2025-12-31	7.5 High
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.
CVE-2025-53420	2 Vibethemes, Wordpress	2 Wordpress Learning Management System, Wordpress	2025-12-31	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows Reflected XSS.This issue affects WPLMS: from n/a through <= 1.9.9.8.
CVE-2024-8914	1 Wordpress	2 Thanh Toan Quet Ma Qr Code Tu Dong, Wordpress	2025-12-31	7.2 High
The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9582	2 Bqworks, Wordpress	2 Accordion Slider, Wordpress	2025-12-31	6.4 Medium
The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting, which is restricted to administrators by default.

Page 1 of 420. next last »