Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11831 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10575 | 2 Ivycat, Wordpress | 2 Wp Jquery Pager, Wordpress | 2026-04-15 | 6.5 Medium |
| The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::get_gallery_page_imgs() function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-2238 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level. | ||||
| CVE-2025-62122 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in solwininfotech Trash Duplicate and 301 Redirect trash-duplicate-and-301-redirect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trash Duplicate and 301 Redirect: from n/a through <= 1.9.1. | ||||
| CVE-2025-62124 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soli WP Post Signature wp-post-signature allows Stored XSS.This issue affects WP Post Signature: from n/a through <= 0.4.1. | ||||
| CVE-2025-10579 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2026-04-15 | 5.3 Medium |
| The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'backwpup_working' AJAX action in all versions up to, and including, 5.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve access to a back-up's filename while a backup is running. This information has little value on it's own, but could be used to aid in a brute force attack to retrieve back-up contents in limited environments (i.e. NGINX). | ||||
| CVE-2025-10582 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-10586 | 2 Jackdewey, Wordpress | 2 Community Events, Wordpress | 2026-04-15 | 9.8 Critical |
| The Community Events plugin for WordPress is vulnerable to SQL Injection via the ‘event_venue’ parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-62129 | 2 Magnigenie, Wordpress | 2 Restropress, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.7. | ||||
| CVE-2025-10587 | 2 Jackdewey, Wordpress | 2 Community Events, Wordpress | 2026-04-15 | 9.8 Critical |
| The Community Events plugin for WordPress is vulnerable to SQL Injection via the event_category parameter in all versions up to, and including, 1.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-62137 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shuttlethemes Shuttle shuttle allows Stored XSS.This issue affects Shuttle: from n/a through <= 1.5.0. | ||||
| CVE-2025-10588 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite, Wordpress | 2026-04-15 | 4.3 Medium |
| The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticated attackers to modify GDPR settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-62140 | 2 Plainwaire, Wordpress | 2 Locatoraid Store Locator, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in plainware Locatoraid Store Locator locatoraid allows Stored XSS.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.68. | ||||
| CVE-2025-62028 | 2 Themenectar, Wordpress | 2 Salient Core, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in ThemeNectar Salient salient.This issue affects Salient: from n/a through < 17.4.0. | ||||
| CVE-2025-62030 | 2 Tagdiv, Wordpress | 2 Composer, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.This issue affects tagDiv Composer: from n/a through <= 5.4.1. | ||||
| CVE-2025-62149 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Stored XSS.This issue affects Add Custom Codes: from n/a through <= 4.80. | ||||
| CVE-2025-22739 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.7.5. | ||||
| CVE-2025-22775 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in idiatech Catalog Importer, Scraper & Crawler intelligent-importer allows Reflected XSS.This issue affects Catalog Importer, Scraper & Crawler: from n/a through <= 5.1.3. | ||||
| CVE-2025-1061 | 2 Nextendweb, Wordpress | 2 Nextend Social Login Pro, Wordpress | 2026-04-15 | 9.8 Critical |
| The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2025-62044 | 2 Codexthemes, Wordpress | 2 Thegem, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.10.5.1. | ||||
| CVE-2025-10635 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.7 High |
| The Find Me On WordPress plugin through 2.0.9.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers and above to perform SQL injection attacks | ||||