Filtered by vendor Wordpress
Subscriptions
Total
11910 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8682 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin. | ||||
| CVE-2025-9861 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The ThemeLoom Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'los_showposts' shortcode in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-22575 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendyourweb SUPER RESPONSIVE SLIDER super-slider allows Reflected XSS.This issue affects SUPER RESPONSIVE SLIDER: from n/a through <= 1.4. | ||||
| CVE-2024-10942 | 2 Wordpress, Yaniiliev | 2 Wordpress, All In One Wp Migration And Backup | 2026-04-15 | 7.5 High |
| The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.89 via deserialization of untrusted input in the 'replace_serialized_values' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must export and restore a backup in order to trigger the exploit. | ||||
| CVE-2025-14800 | 2 Themeisle, Wordpress | 2 Redirection For Contact Form 7, Wordpress | 2026-04-15 | 8.1 High |
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server. | ||||
| CVE-2025-22593 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in burria Laika Pedigree Tree laika-pedigree-tree allows Stored XSS.This issue affects Laika Pedigree Tree: from n/a through <= 1.4. | ||||
| CVE-2024-27997 | 2 Visualcomposer, Wordpress | 2 Visual Composer Website Builder, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder visualcomposer.This issue affects Visual Composer Website Builder: from n/a through <= 45.6.0. | ||||
| CVE-2024-11008 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||
| CVE-2024-2580 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FunnelKit Automation By Autonami allows Stored XSS.This issue affects Automation By Autonami: from n/a through 2.8.2. | ||||
| CVE-2024-25912 | 2 Skymoonlabs, Wordpress | 2 Moveto, Wordpress | 2026-04-15 | 9.8 Critical |
| Missing Authorization vulnerability in Skymoonlabs MoveTo.This issue affects MoveTo: from n/a through 6.2. | ||||
| CVE-2025-22673 | 2 Wordpress, Wpfactory | 2 Wordpress, Ean For Woocommerce | 2026-04-15 | N/A |
| Missing Authorization vulnerability in WPFactory EAN for WooCommerce ean-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EAN for WooCommerce: from n/a through <= 5.3.5. | ||||
| CVE-2025-50053 | 3 Google, Nebelhorn, Wordpress | 3 Android, Blappsta Mobile App Plugin, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through <= 0.8.8.8. | ||||
| CVE-2025-23560 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in plumwd Web Testimonials web-testimonials allows Stored XSS.This issue affects Web Testimonials: from n/a through <= 1.2. | ||||
| CVE-2025-54667 | 2 Mycred, Wordpress | 2 Mycred, Wordpress | 2026-04-15 | N/A |
| Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred mycred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions.This issue affects myCred: from n/a through <= 2.9.4.3. | ||||
| CVE-2025-54672 | 2 Jordy Meow, Wordpress | 2 Photo Engine, Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Jordy Meow Photo Engine wplr-sync allows Cross Site Request Forgery.This issue affects Photo Engine: from n/a through <= 6.4.3. | ||||
| CVE-2025-14313 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14426 | 2 Wordpress, Wpchill | 2 Wordpress, Strong Testimonials | 2026-04-15 | 4.3 Medium |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. | ||||
| CVE-2025-66065 | 2 Jegstudio, Wordpress | 2 Gutenverse, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Jegstudio Gutenverse gutenverse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse: from n/a through <= 3.2.1. | ||||
| CVE-2025-12585 | 2 Mxchat, Wordpress | 2 Ai Chatbot For Wordpress, Wordpress | 2026-04-15 | 5.3 Medium |
| The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for unauthenticated attackers to extract session values that can subsequently be used to access conversation data. | ||||
| CVE-2024-53715 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Thomas Hoefter Simple Travel Map simple-travel-map allows Stored XSS.This issue affects Simple Travel Map: from n/a through <= 0.1. | ||||