Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11712 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12954 | 2 Motopress, Wordpress | 2 Timetable And Event Schedule, Wordpress | 2026-01-09 | 2.7 Low |
| The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to users with a role as low as Contributor. | ||||
| CVE-2025-12061 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 8.6 High |
| The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements | ||||
| CVE-2025-12057 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 9.8 Critical |
| The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE | ||||
| CVE-2025-11191 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 5.3 Medium |
| The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site. | ||||
| CVE-2025-10874 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 5.5 Medium |
| The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing. | ||||
| CVE-2025-10723 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite, Wordpress | 2026-01-09 | 2.7 Low |
| The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks | ||||
| CVE-2025-10406 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 5.5 Medium |
| The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks. | ||||
| CVE-2025-10684 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 4.3 Medium |
| The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . | ||||
| CVE-2023-28688 | 2 Themehunk, Wordpress | 2 Variation Swatches, Wordpress | 2026-01-09 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | ||||
| CVE-2024-31428 | 2 Rarathemes, Wordpress | 2 The Conference, Wordpress | 2026-01-09 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme The Conference.This issue affects The Conference: from n/a through 1.2.0. | ||||
| CVE-2024-31384 | 2 Rarathemes, Wordpress | 2 Spa And Salon, Wordpress | 2026-01-09 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Spa and Salon.This issue affects Spa and Salon: from n/a through 1.2.7. | ||||
| CVE-2024-33537 | 2 Themehorse, Wordpress | 2 Wp Portfolio, Wordpress | 2026-01-09 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Horse WP Portfolio allows Stored XSS.This issue affects WP Portfolio: from n/a through 2.4. | ||||
| CVE-2025-14072 | 3 Ninjaforma, Ninjaforms, Wordpress | 3 Ninja Forms, Ninja Forms, Wordpress | 2026-01-09 | 5.3 Medium |
| The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. | ||||
| CVE-2024-2904 | 2 Extendthemes, Wordpress | 2 Calliope, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Calliope.This issue affects Calliope: from n/a through 1.0.33. | ||||
| CVE-2024-29796 | 2 Hot-themes, Wordpress | 2 Hot Random Image, Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hot Themes Hot Random Image allows Stored XSS.This issue affects Hot Random Image: from n/a through 1.8.1. | ||||
| CVE-2023-50897 | 2 Meow Apps, Wordpress | 2 Media File Renamer, Wordpress | 2026-01-08 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | ||||
| CVE-2025-9543 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 3.5 Low |
| The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-14124 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.6 High |
| The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||||
| CVE-2023-52212 | 2 Automattic, Wordpress | 2 Wp Job Manager, Wordpress | 2026-01-08 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. | ||||
| CVE-2023-51513 | 2 Infinitumform, Wordpress | 2 Geo Controller, Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | ||||