Filtered by vendor Wordpress
Subscriptions
Total
11883 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59551 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.6. | ||||
| CVE-2025-58964 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Enzy enzy allows Reflected XSS.This issue affects Enzy: from n/a through < 1.6.4. | ||||
| CVE-2025-54731 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1. | ||||
| CVE-2025-59581 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in VW THEMES Ibtana ibtana-visual-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ibtana: from n/a through <= 1.2.5.3. | ||||
| CVE-2025-59587 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS.This issue affects Penci Shortcodes & Performance: from n/a through < 6.1. | ||||
| CVE-2025-10295 | 2 Kayapati, Wordpress | 2 Angel, Wordpress | 2026-04-15 | 6.4 Medium |
| The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option. | ||||
| CVE-2025-23993 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. | ||||
| CVE-2025-23641 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PowieT Powie's pLinks PagePeeker plinks allows DOM-Based XSS.This issue affects Powie's pLinks PagePeeker: from n/a through <= 1.0.2. | ||||
| CVE-2025-23693 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in uosiu Secure CAPTCHA secure-captcha allows Stored XSS.This issue affects Secure CAPTCHA: from n/a through <= 1.2. | ||||
| CVE-2025-47570 | 2 Villatheme, Wordpress | 2 Woocommerce Photo Reviews, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews.This issue affects WooCommerce Photo Reviews: from n/a through <= 1.3.13. | ||||
| CVE-2025-60242 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Anatoly Download Counter download-counter allows Path Traversal.This issue affects Download Counter: from n/a through <= 1.4. | ||||
| CVE-2025-3432 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-23902 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Taras Dashkevych Error Notification error-notification allows Cross Site Request Forgery.This issue affects Error Notification: from n/a through <= 0.2.7. | ||||
| CVE-2023-32120 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1. | ||||
| CVE-2025-23963 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in flymke Mark Posts mark-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark Posts: from n/a through <= 2.2.4. | ||||
| CVE-2025-62138 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in cedcommerce WP Advanced PDF wp-advanced-pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through <= 1.1.7. | ||||
| CVE-2025-12751 | 2 Elextensions, Wordpress | 2 Wschat, Wordpress | 2026-04-15 | 4.3 Medium |
| The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | ||||
| CVE-2025-12753 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-60154 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jennifer Moss MWW Disclaimer Buttons mww-disclaimer-buttons allows Stored XSS.This issue affects MWW Disclaimer Buttons: from n/a through <= 3.41. | ||||
| CVE-2025-60219 | 3 Harutheme, Woocommerce, Wordpress | 3 Woocommerce Designer Pro, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro wc-designer-pro allows Upload a Web Shell to a Web Server.This issue affects WooCommerce Designer Pro: from n/a through <= 1.9.24. | ||||