Filtered by vendor Wordpress
Subscriptions
Total
11903 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-51513 | 2 Infinitumform, Wordpress | 2 Geo Controller, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | ||||
| CVE-2023-52144 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RexTheme Product Feed Manager.This issue affects Product Feed Manager: from n/a through 7.3.15. | ||||
| CVE-2025-10493 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5. | ||||
| CVE-2025-3065 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.1 Critical |
| The Database Toolset plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-47663 | 3 Hospital Management System, Hospital Management System Project, Wordpress | 3 Hospital Management System, Hospital Management System, Wordpress | 2026-04-15 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11. | ||||
| CVE-2024-12507 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Optio Dentistry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'optio-lightbox' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58606 | 2 Cozythemes, Wordpress | 2 Saaslauncher, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in cozythemes SaasLauncher saaslauncher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SaasLauncher: from n/a through <= 1.3.0. | ||||
| CVE-2025-58614 | 2 Tooltipy, Wordpress | 2 Tooltipy, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy bluet-keywords-tooltip-generator allows Stored XSS.This issue affects Tooltipy: from n/a through <= 5.5.6. | ||||
| CVE-2024-10932 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit. | ||||
| CVE-2024-3555 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.2 High |
| The Social Link Pages: link-in-bio landing pages for your social media profiles plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_link_pages() function in all versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to inject arbitrary pages and malicious web scripts. | ||||
| CVE-2025-62925 | 2 Conversios, Wordpress | 2 Conversios.io, Wordpress | 2026-04-15 | 8.1 High |
| Missing Authorization vulnerability in Conversios Conversios.io enhanced-e-commerce-for-woocommerce-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Conversios.io: from n/a through <= 7.2.13. | ||||
| CVE-2024-35642 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bryan Hadaway Site Favicon allows Stored XSS.This issue affects Site Favicon: from n/a through 0.2. | ||||
| CVE-2024-35646 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Erez Hadas-Sonnenschein Smartarget Message Bar smartarget-message-bar.This issue affects Smartarget Message Bar: from n/a through <= 1.5. | ||||
| CVE-2024-3581 | 2 Maxfoundry, Wordpress | 2 Maxgalleria, Wordpress | 2026-04-15 | 4.3 Medium |
| The MaxGalleria plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the add_media_library_images_to_gallery function in all versions up to, and including, 6.4.2. This makes it possible for authenticated attackers, with subscriber access or above, to upload arbitrary images to a gallery. | ||||
| CVE-2024-3595 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Pure Chat – Live Chat Plugin & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the purechatwid and purechatwname parameter in all versions up to, and including, 2.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-22595 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows Reflected XSS.This issue affects Mailing Group Listserv: from n/a through <= 2.0.9. | ||||
| CVE-2024-12339 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Digihood HTML Sitemap plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘channel' parameter in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-37540 | 2 Leaky Paywall, Wordpress | 2 Leaky Paywall, Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Cross Site Request Forgery.This issue affects Leaky Paywall: from n/a through <= 4.21.2. | ||||
| CVE-2024-37562 | 2 Bracketspace, Wordpress | 2 Simple Post Notes, Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BracketSpace Simple Post Notes allows Stored XSS.This issue affects Simple Post Notes: from n/a through 1.7.7. | ||||
| CVE-2025-53266 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in EdwardBock Cron Logger cron-logger allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cron Logger: from n/a through <= 1.3.0. | ||||