Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
6026 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57979 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson AuthorSure allows Stored XSS. This issue affects AuthorSure: from n/a through 2.3. | ||||
| CVE-2025-57978 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in themespride Advanced Appointment Booking & Scheduling allows Cross Site Request Forgery. This issue affects Advanced Appointment Booking & Scheduling: from n/a through 1.9. | ||||
| CVE-2025-57977 | 3 Woocommerce, Wordpress, Wpdesk | 3 Woocommerce, Wordpress, Flexible Pdf Invoices | 2025-09-25 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through 6.0.13. | ||||
| CVE-2025-57976 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 5.3 Medium |
| Missing Authorization vulnerability in CardCom CardCom Payment Gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CardCom Payment Gateway: from n/a through 3.5.0.4. | ||||
| CVE-2025-57975 | 2 Radiustheme, Wordpress | 2 Team, Wordpress | 2025-09-25 | 4.3 Medium |
| Missing Authorization vulnerability in RadiusTheme Team allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Team: from n/a through 5.0.6. | ||||
| CVE-2025-57974 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tuyennv TZ PlusGallery allows Stored XSS. This issue affects TZ PlusGallery: from n/a through 1.5.5. | ||||
| CVE-2025-57973 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 5.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chad Butler WP-Members allows Stored XSS. This issue affects WP-Members: from n/a through 3.5.4.2. | ||||
| CVE-2025-57972 | 3 Woocommerce, Wordpress, Wpfactory | 3 Woocommerce, Wordpress, Helpdesk Support Ticket System | 2025-09-25 | 4.3 Medium |
| Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through 2.0.2. | ||||
| CVE-2025-59584 | 1 Wordpress | 1 Wordpress | 2025-09-25 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast allows DOM-Based XSS. This issue affects Penci Podcast: from n/a through 1.6. | ||||
| CVE-2025-9054 | 3 Techspawn, Woocommerce, Wordpress | 3 Multiloca, Woocommerce, Wordpress | 2025-09-25 | 9.8 Critical |
| The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2025-9353 | 2 Themify, Wordpress | 2 Themify Builder, Wordpress | 2025-09-25 | 6.4 Medium |
| The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9. | ||||
| CVE-2025-10380 | 1 Wordpress | 1 Wordpress | 2025-09-24 | 8.8 High |
| The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server. | ||||
| CVE-2025-10412 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-09-24 | 9.8 Critical |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-10147 | 2 Podlove, Wordpress | 2 Podlove Podcast Publisher, Wordpress | 2025-09-24 | 9.8 Critical |
| The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-58915 | 2 Emarket-design, Wordpress | 2 Youtube Showcase, Wordpress | 2025-09-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.0. | ||||
| CVE-2025-8282 | 2 Sureforms, Wordpress | 2 Sureforms, Wordpress | 2025-09-24 | 6.1 Medium |
| The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks. | ||||
| CVE-2025-9321 | 2 Wordpress, Wpsight | 2 Wordpress, Wpcasa | 2025-09-24 | 9.8 Critical |
| The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code. | ||||
| CVE-2025-57971 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2025-09-24 | 5.3 Medium |
| Missing Authorization vulnerability in SALESmanago SALESmanago allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SALESmanago: from n/a through 3.8.1. | ||||
| CVE-2025-57970 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2025-09-24 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in SALESmanago SALESmanago allows Cross Site Request Forgery. This issue affects SALESmanago: from n/a through 3.8.1. | ||||
| CVE-2025-57961 | 2 Codexpert, Wordpress | 2 Codesigner, Wordpress | 2025-09-24 | 4.3 Medium |
| Missing Authorization vulnerability in Codexpert, Inc CoDesigner allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CoDesigner: from n/a through 4.25.2. | ||||