Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11973 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32416	2 Bplugins, Wordpress	2 Pdf Poster, Wordpress	2026-04-22	5.4 Medium
Missing Authorization vulnerability in bPlugins PDF Poster pdf-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF Poster: from n/a through <= 2.4.0.
CVE-2026-32423	2 Bowo, Wordpress	2 Admin And Site Enhancements Ase, Wordpress	2026-04-22	5.4 Medium
Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 8.4.0.
CVE-2026-32428	2 Ays-pro, Wordpress	2 Popup Like Box, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Ays Pro Popup Like box ays-facebook-popup-likebox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Like box: from n/a through <= 3.7.7.
CVE-2026-32437	2 Vowelweb, Wordpress	2 Vw Portfolio, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in vowelweb VW Portfolio vw-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Portfolio: from n/a through <= 1.3.3.
CVE-2026-3657	2 Premio, Wordpress	2 My Sticky Bar – Floating Notification Bar & Sticky Header (formerly Mystickymenu), Wordpress	2026-04-22	7.5 High
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
CVE-2026-3986	2 Codepeople, Wordpress	2 Calculated Fields Form, Wordpress	2026-04-22	6.4 Medium
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-32394	2 Publishpress, Wordpress	2 Publishpress Capabilities, Wordpress	2026-04-22	4.3 Medium
Missing Authorization vulnerability in PublishPress PublishPress Capabilities capability-manager-enhanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Capabilities: from n/a through <= 2.31.0.
CVE-2026-32378	2 Rarathemes, Wordpress	2 Book Landing Page, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Book Landing Page book-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Landing Page: from n/a through <= 1.2.7.
CVE-2026-32328	2 Shufflehound, Wordpress	2 Lemmony, Wordpress	2026-04-22	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1.
CVE-2026-32366	2 Robfelty, Wordpress	2 Collapsing Categories, Wordpress	2026-04-22	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Categories collapsing-categories allows Blind SQL Injection.This issue affects Collapsing Categories: from n/a through <= 3.0.9.
CVE-2026-32364	2 Redqteam, Wordpress	2 Turbo Manager, Wordpress	2026-04-22	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue affects Turbo Manager: from n/a through < 4.0.8.
CVE-2026-32358	2 Wordpress, Wpdevelop	2 Wordpress, Booking Calendar	2026-04-22	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop Booking Calendar booking allows Blind SQL Injection.This issue affects Booking Calendar: from n/a through <= 10.14.15.
CVE-2026-32435	2 Vowelweb, Wordpress	2 Vw Pet Shop, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in vowelweb VW Pet Shop vw-pet-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Pet Shop: from n/a through <= 1.4.7.
CVE-2026-32461	2 Really-simple-plugins, Wordpress	2 Really Simple Ssl, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n/a through <= 9.5.7.
CVE-2026-32375	2 Raratheme, Wordpress	2 Travel Diaries, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Travel Diaries travel-diaries allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Diaries: from n/a through <= 1.2.4.
CVE-2026-32438	2 Vowelweb, Wordpress	2 Vw School Education, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in vowelweb VW School Education vw-school-education allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW School Education: from n/a through <= 1.4.6.
CVE-2026-32456	2 Janis Elsts, Wordpress	2 Admin Menu Editor, Wordpress	2026-04-22	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.
CVE-2026-32367	2 Wordpress, Ylefebvre	2 Wordpress, Modal Dialog	2026-04-22	9.1 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16.
CVE-2026-32332	2 Ays-pro, Wordpress	2 Easy Form, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.9.
CVE-2026-32383	2 Raratheme, Wordpress	2 Ridhi, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through <= 1.1.2.

« first previous Page 267 of 599. next last »