Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11012 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32394	2 Publishpress, Wordpress	2 Publishpress Capabilities, Wordpress	2026-03-16	4.3 Medium
Missing Authorization vulnerability in PublishPress PublishPress Capabilities capability-manager-enhanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Capabilities: from n/a through <= 2.31.0.
CVE-2026-32392	2 Creatives Planet, Wordpress	2 Greenly, Wordpress	2026-03-16	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1.
CVE-2026-32390	2 Linethemes, Wordpress	2 Nanosoft, Wordpress	2026-03-16	5.4 Medium
Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through < 1.3.2.
CVE-2026-32385	2 Metagauss, Wordpress	2 Registrationmagic, Wordpress	2026-03-16	5.4 Medium
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6.
CVE-2026-32373	2 Cozyvision, Wordpress	2 Sms Alert Order Notifications, Wordpress	2026-03-16	5.4 Medium
Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0.
CVE-2025-12189	2 Breadbutter, Wordpress	2 Bread \& Butter, Wordpress	2026-03-16	4.3 Medium
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2026-32369	2 Radiustheme, Wordpress	2 Medilink-core, Wordpress	2026-03-16	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.
CVE-2026-32367	2 Wordpress, Ylefebvre	2 Wordpress, Modal Dialog	2026-03-16	9.1 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16.
CVE-2026-32365	2 Robfelty, Wordpress	2 Collapsing Archives, Wordpress	2026-03-16	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in robfelty Collapsing Archives collapsing-archives allows Blind SQL Injection.This issue affects Collapsing Archives: from n/a through <= 3.0.7.
CVE-2026-32361	2 Marketing Fire, Wordpress	2 Editorial Calendar, Wordpress	2026-03-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0.
CVE-2026-32351	2 Blubrry, Wordpress	2 Powerpress Podcasting, Wordpress	2026-03-16	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blubrry PowerPress Podcasting powerpress allows Stored XSS.This issue affects PowerPress Podcasting: from n/a through <= 11.15.13.
CVE-2026-31922	2 Ays-pro, Wordpress	2 Fox Lms, Wordpress	2026-03-16	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
CVE-2026-31918	2 Immonex, Wordpress	2 Immonex Kickstart, Wordpress	2026-03-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.
CVE-2026-31916	2 Iulia Cazan, Wordpress	2 Latest Post Shortcode, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Latest Post Shortcode: from n/a through <= 14.2.1.
CVE-2026-31915	2 Uxthemes, Wordpress	2 Flatsome, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in UX-themes Flatsome flatsome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flatsome: from n/a through <= 3.19.6.
CVE-2026-32328	2 Shufflehound, Wordpress	2 Lemmony, Wordpress	2026-03-16	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1.
CVE-2026-31919	2 Josh Kohlbach, Wordpress	2 Advanced Coupons For Woocommerce Coupons, Wordpress	2026-03-16	4.3 Medium
Missing Authorization vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.
CVE-2026-31917	2 Wedevs, Wordpress	2 Wp Erp, Wordpress	2026-03-16	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through <= 1.16.10.
CVE-2026-32329	2 Ays Pro, Wordpress	2 Advanced Related Posts, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in Ays Pro Advanced Related Posts advanced-related-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Related Posts: from n/a through <= 1.9.1.
CVE-2026-1704	2 Croixhaug, Wordpress	2 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin, Wordpress	2026-03-16	4.3 Medium
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the appointment ID parameter.

« first previous Page 4 of 551. next last »