Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11973 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32428	2 Ays-pro, Wordpress	2 Popup Like Box, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.
CVE-2026-32429	2 Noor Alam, Wordpress	2 Magical Addons For Elementor, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Stored XSS.This issue affects Magical Addons For Elementor: from n/a through <= 1.4.1.
CVE-2026-32434	2 Vowelweb, Wordpress	2 Vw Fitness, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in vowelweb VW Fitness vw-fitness allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Fitness: from n/a through <= 4.3.4.
CVE-2026-32445	2 Elementor, Wordpress	2 Elementor Website Builder, Wordpress	2026-04-22	2.7 Low
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.35.5.
CVE-2026-32437	2 Vowelweb, Wordpress	2 Vw Portfolio, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in vowelweb VW Portfolio vw-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Portfolio: from n/a through <= 1.3.3.
CVE-2026-32383	2 Raratheme, Wordpress	2 Ridhi, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through <= 1.1.2.
CVE-2026-32442	2 E2pdf, Wordpress	2 E2pdf, Wordpress	2026-04-22	4.3 Medium
Missing Authorization vulnerability in E2Pdf e2pdf e2pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects e2pdf: from n/a through <= 1.28.15.
CVE-2026-32404	2 Studio99, Wordpress	2 Studio99 Wp Monitor, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Studio99 Studio99 WP Monitor studio99-wp-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Studio99 WP Monitor: from n/a through <= 1.0.3.
CVE-2026-2888	2 Strategy11team, Wordpress	2 Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder, Wordpress	2026-04-22	5.3 Medium
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before payment completion on forms using dynamic pricing with field shortcodes, effectively paying a reduced amount for goods or services.
CVE-2026-2890	2 Strategy11team, Wordpress	2 Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder, Wordpress	2026-04-22	7.5 High
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a high-value payment as complete, effectively bypassing payment for goods or services.
CVE-2026-2987	2 Specialk, Wordpress	2 Simple Ajax Chat – Add A Fast, Secure Chat Box, Wordpress	2026-04-22	6.1 Medium
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-32385	2 Metagauss, Wordpress	2 Registrationmagic, Wordpress	2026-04-22	5.4 Medium
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6.
CVE-2026-31915	2 Uxthemes, Wordpress	2 Flatsome, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
CVE-2026-31916	2 Iulia Cazan, Wordpress	2 Latest Post Shortcode, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.1.
CVE-2026-31918	2 Immonex, Wordpress	2 Immonex Kickstart, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.
CVE-2026-31919	2 Josh Kohlbach, Wordpress	2 Advanced Coupons For Woocommerce Coupons, Wordpress	2026-04-22	4.3 Medium
Missing Authorization vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.
CVE-2026-3226	2 Thimpress, Wordpress	2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress	2026-04-22	4.3 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
CVE-2026-32331	2 Israpil, Wordpress	2 Textmetrics, Wordpress	2026-04-22	4.3 Medium
Missing Authorization vulnerability in Israpil Textmetrics webtexttool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Textmetrics: from n/a through <= 3.6.4.
CVE-2026-32332	2 Ays-pro, Wordpress	2 Easy Form, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.9.
CVE-2026-32338	2 Rarathemes, Wordpress	2 Construction Landing Page, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Construction Landing Page construction-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Landing Page: from n/a through <= 1.4.1.

« first previous Page 266 of 599. next last »