Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11792 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-60176	1 Wordpress	1 Wordpress	2026-04-15	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tattersoftware WP Tesseract wp-tesseract allows Stored XSS.This issue affects WP Tesseract: from n/a through <= 1.0.2.
CVE-2025-60179	1 Wordpress	1 Wordpress	2026-04-15	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Space Studio Click & Tweet allows Stored XSS. This issue affects Click & Tweet: from n/a through 0.8.9.
CVE-2025-48094	2 Lambertgroup, Wordpress	2 Magic Slider, Wordpress	2026-04-15	6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2.
CVE-2025-69320	1 Wordpress	1 Wordpress	2026-04-15	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7.
CVE-2025-60183	2 Silence, Wordpress	2 Silencesoft Rss Reader, Wordpress	2026-04-15	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.
CVE-2025-60187	2 Atarim, Wordpress	2 Atarim, Wordpress	2026-04-15	4.8 Medium
Unrestricted Upload of File with Dangerous Type vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Using Malicious Files.This issue affects Atarim: from n/a through <= 4.2.1.
CVE-2025-60189	3 Polopag, Woocommerce, Wordpress	3 Polopag, Woocommerce, Wordpress	2026-04-15	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments allows PHP Local File Inclusion.This issue affects PoloPag – Pix Automático para Woocommerce: from n/a through <= 2.0.9.
CVE-2025-69322	2 Fuelthemes, Wordpress	2 Peakshops, Wordpress	2026-04-15	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9.
CVE-2025-69326	2 Basixonline, Wordpress	2 Nex-forms, Wordpress	2026-04-15	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
CVE-2025-26961	1 Wordpress	1 Wordpress	2026-04-15	N/A
Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Fresh Framework: from n/a through <= 1.70.0.
CVE-2025-60190	2 Hinnerk Altenburg, Wordpress	2 Immocaster Wordpress Plugin, Wordpress	2026-04-15	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hinnerk Altenburg Immocaster WordPress Plugin immocaster allows PHP Local File Inclusion.This issue affects Immocaster WordPress Plugin: from n/a through <= 1.3.6.
CVE-2025-12527	1 Wordpress	1 Wordpress	2026-04-15	4.3 Medium
The Page & Post Notes plugin for WordPress is vulnerable to unauthorized modification of notes due to a missing capability check on the 'yydev_notes_save_dashboard_data' function in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify notes.
CVE-2025-69327	1 Wordpress	1 Wordpress	2026-04-15	4.3 Medium
Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.0.9.
CVE-2025-60191	3 Premmerce, Woocommerce, Wordpress	3 Wishlist For Woocommerce, Woocommerce, Wordpress	2026-04-15	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Wishlist for WooCommerce premmerce-woocommerce-wishlist allows PHP Local File Inclusion.This issue affects Premmerce Wishlist for WooCommerce: from n/a through <= 1.1.10.
CVE-2025-49388	1 Wordpress	1 Wordpress	2026-04-15	N/A
Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7.
CVE-2025-69328	2 Magepeople, Wordpress	2 Booking & Rental Manager, Wordpress	2026-04-15	8.8 High
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.
CVE-2025-60194	2 Premmerce, Wordpress	2 Product Search For Woocommerce, Wordpress	2026-04-15	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows PHP Local File Inclusion.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4.
CVE-2025-2010	1 Wordpress	1 Wordpress	2026-04-15	7.5 High
The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-60197	2 Owenr88, Wordpress	2 Simple Contact Forms, Wordpress	2026-04-15	8.2 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in owenr88 Simple Contact Forms simple-contact-forms allows PHP Local File Inclusion.This issue affects Simple Contact Forms: from n/a through <= 1.6.4.
CVE-2025-30569	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jahertor WP Featured Entries wp-featured-entries allows SQL Injection.This issue affects WP Featured Entries: from n/a through <= 1.0.

« first previous Page 82 of 590. next last »