Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11698 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10134 | 2 Bearsthemes, Wordpress | 2 Goza Nonprofit Charity Wordpress Theme, Wordpress | 2025-09-09 | 9.1 Critical |
| The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-9260 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.5 Medium |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version | ||||
| CVE-2025-52709 | 2 Wordpress, Wpeverest | 2 Wordpress, Everest Forms | 2025-09-04 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-31100 | 2 Mojoomla, Wordpress | 2 School Management, Wordpress | 2025-09-02 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This issue affects School Management: from n/a through 1.93.1 (02-07-2025). | ||||
| CVE-2025-4956 | 2 Aa-team, Wordpress | 2 Pro Bulk Watermark Plugin, Wordpress | 2025-09-02 | 4.3 Medium |
| Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. | ||||
| CVE-2025-49405 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2025-08-30 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4. | ||||
| CVE-2025-49407 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2025-08-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1. | ||||
| CVE-2025-48081 | 1 Wordpress | 1 Wordpress | 2025-08-29 | 5.3 Medium |
| Path Traversal: '.../...//' vulnerability in Printeers Printeers Print & Ship allows Path Traversal.This issue affects Printeers Print & Ship: from n/a through 1.17.0. | ||||
| CVE-2025-48108 | 1 Wordpress | 1 Wordpress | 2025-08-27 | 6.5 Medium |
| Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0. | ||||
| CVE-2024-22155 | 2 Automattic, Wordpress | 2 Woocommerce, Wordpress | 2025-08-26 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2. | ||||
| CVE-2025-7642 | 1 Wordpress | 1 Wordpress | 2025-08-25 | 9.8 Critical |
| The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order. | ||||
| CVE-2025-8678 | 1 Wordpress | 1 Wordpress | 2025-08-25 | 5.9 Medium |
| The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-49408 | 2 Templately, Wordpress | 2 Templately, Wordpress | 2025-08-21 | 4.9 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7. | ||||
| CVE-2025-49410 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS. This issue affects TC Testimonials: from n/a through 1.1.1. | ||||
| CVE-2025-49409 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0. | ||||
| CVE-2025-49411 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1. | ||||
| CVE-2025-49438 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3. | ||||
| CVE-2025-49428 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3. | ||||
| CVE-2025-49406 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2025-08-21 | 5.3 Medium |
| Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1. | ||||
| CVE-2022-21661 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-08-19 | 8 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. | ||||