Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11012 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32457	2 Wombat Plugins, Wordpress	2 Advanced Product Fields Product Addons For Woocommerce, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Product Fields (Product Addons) for WooCommerce: from n/a through <= 1.6.18.
CVE-2026-32353	2 Mailerpress Team, Wordpress	2 Mailerpress, Wordpress	2026-03-16	6.4 Medium
Server-Side Request Forgery (SSRF) vulnerability in MailerPress Team MailerPress mailerpress allows Server Side Request Forgery.This issue affects MailerPress: from n/a through <= 1.4.2.
CVE-2026-32355	2 Crocoblock, Wordpress	2 Jetengine, Wordpress	2026-03-16	8.8 High
Deserialization of Untrusted Data vulnerability in Crocoblock JetEngine jet-engine allows Object Injection.This issue affects JetEngine: from n/a through < 3.8.4.1.
CVE-2026-32460	2 Themefic, Wordpress	2 Ultimate Addons For Contact Form 7, Wordpress	2026-03-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.36.
CVE-2026-3045	2 Croixhaug, Wordpress	2 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin, Wordpress	2026-03-16	7.5 High
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
CVE-2026-32338	2 Rarathemes, Wordpress	2 Construction Landing Page, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Construction Landing Page construction-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Landing Page: from n/a through <= 1.4.1.
CVE-2026-32359	2 Bplugins, Wordpress	2 Icon List Block, Wordpress	2026-03-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Icon List Block icon-list-block allows Stored XSS.This issue affects Icon List Block: from n/a through <= 1.2.3.
CVE-2026-32375	2 Raratheme, Wordpress	2 Travel Diaries, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Travel Diaries travel-diaries allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Diaries: from n/a through <= 1.2.4.
CVE-2026-32379	2 Raratheme, Wordpress	2 Rara Academic, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Rara Academic rara-academic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Academic: from n/a through <= 1.2.2.
CVE-2026-32380	2 Raratheme, Wordpress	2 Numinous, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0.
CVE-2026-32382	2 Raratheme, Wordpress	2 Digital Download, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Digital Download digital-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Digital Download: from n/a through <= 1.1.4.
CVE-2026-32383	2 Raratheme, Wordpress	2 Ridhi, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in raratheme Ridhi ridhi allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ridhi: from n/a through <= 1.1.2.
CVE-2026-32399	2 Davidlingren, Wordpress	2 Media Library Assistant, Wordpress	2026-03-16	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Blind SQL Injection.This issue affects Media LIbrary Assistant: from n/a through <= 3.32.
CVE-2026-32400	2 Themetechmount, Wordpress	2 Boldman, Wordpress	2026-03-16	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion.This issue affects Boldman: from n/a through <= 7.7.
CVE-2026-32402	2 Ays-pro, Wordpress	2 Image Slider, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1.
CVE-2026-32409	2 Wordpress, Wpmu Dev - Your All-in-one Wordpress Platform	2 Wordpress, Forminator	2026-03-16	5.3 Medium
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through <= 1.50.2.
CVE-2026-32419	2 Fernandobriano, Wordpress	2 List Category Posts, Wordpress	2026-03-16	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.
CVE-2026-32421	2 Agilelogix, Wordpress	2 Post Timeline, Wordpress	2026-03-16	5.3 Medium
Missing Authorization vulnerability in Agile Logix Post Timeline post-timeline allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Timeline: from n/a through <= 2.4.1.
CVE-2026-32429	2 Noor Alam, Wordpress	2 Magical Addons For Elementor, Wordpress	2026-03-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Addons For Elementor magical-addons-for-elementor allows Stored XSS.This issue affects Magical Addons For Elementor: from n/a through <= 1.4.1.
CVE-2026-32459	2 Flycart, Wordpress	2 Upsellwp, Wordpress	2026-03-16	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection.This issue affects UpsellWP: from n/a through <= 2.2.4.

« first previous Page 8 of 551. next last »