Filtered by vendor Wordpress
Subscriptions
Total
11922 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59574 | 2 Wordpress, Wptravelengine | 2 Wordpress, Wp Travel Engine | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel Engine WP Travel Engine wte-elementor-widgets allows Stored XSS.This issue affects WP Travel Engine: from n/a through <= 1.4.2. | ||||
| CVE-2025-59585 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.0. | ||||
| CVE-2025-59591 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.33. | ||||
| CVE-2025-53561 | 2 Miniorange, Wordpress | 2 Prevent Files \/ Folders Access, Wordpress | 2026-04-15 | N/A |
| Path Traversal: '.../...//' vulnerability in miniOrange Prevent files / folders access prevent-file-access allows Path Traversal.This issue affects Prevent files / folders access: from n/a through <= 2.6.0. | ||||
| CVE-2025-59592 | 3 Elementor, Fernando Acosta, Wordpress | 3 Elementor, Make Column Clickable Elementor, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Acosta Make Column Clickable Elementor make-column-clickable-elementor allows Stored XSS.This issue affects Make Column Clickable Elementor: from n/a through <= 1.6.0. | ||||
| CVE-2025-53577 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS global-dns allows Remote Code Inclusion.This issue affects Global DNS: from n/a through <= 3.1.0. | ||||
| CVE-2025-14552 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-54055 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Druco druco allows Reflected XSS.This issue affects Druco: from n/a through <= 1.5.2. | ||||
| CVE-2025-6261 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Fleetwire Fleet Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fleetwire_list shortcode in all versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12849 | 2 Contest-gallery, Wordpress | 2 Contest Gallery, Wordpress | 2026-04-15 | 5.3 Medium |
| The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks or nonce verification. This makes it possible for unauthenticated attackers to inject arbitrary WordPress media attachments into galleries and manipulate gallery metadata via the `cg_check_wp_admin_upload_v10` action. It does not enable an attacker to move or upload files. | ||||
| CVE-2025-54713 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | N/A |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce ecab-taxi-booking-manager allows Authentication Abuse.This issue affects Taxi Booking Manager for WooCommerce: from n/a through <= 1.3.0. | ||||
| CVE-2025-48088 | 2 Brainstormforce, Wordpress | 2 Ultimate Addons For Wpbakery Page Builder, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Stored XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through < 3.21.1. | ||||
| CVE-2025-48142 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify bookify allows Privilege Escalation.This issue affects Bookify: from n/a through <= 1.0.9. | ||||
| CVE-2025-48152 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst rentsyst allows Reflected XSS.This issue affects Rentsyst: from n/a through <= 2.0.100. | ||||
| CVE-2025-48302 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roxnor FundEngine wp-fundraising-donation allows PHP Local File Inclusion.This issue affects FundEngine: from n/a through <= 1.7.4. | ||||
| CVE-2025-13652 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-6495 | 2 Bricksable, Wordpress | 2 Bricksable For Bricks Builder, Wordpress | 2026-04-15 | 7.5 High |
| The Bricks theme for WordPress is vulnerable to blind SQL Injection via the ‘p’ parameter in all versions up to, and including, 1.12.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-6439 | 2 Jma Plugins, Wordpress | 2 Woocommerce Designer Pro, Wordpress | 2026-04-15 | 9.8 Critical |
| The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability. | ||||
| CVE-2025-12197 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The The Events Calendar plugin for WordPress is vulnerable to blind SQL Injection via the 's' parameter in versions 6.15.1.1 to 6.15.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-49392 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Audio Dock themify-audio-dock allows Stored XSS.This issue affects Themify Audio Dock: from n/a through <= 2.0.5. | ||||