Filtered by vendor Wordpress
Subscriptions
Total
9900 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12685 | 3 Iqonic, Iqonicdesign, Wordpress | 3 Wpbookit, Wpbookit, Wordpress | 2026-01-05 | 6.5 Medium |
| The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | ||||
| CVE-2025-13456 | 2 Shopbuilder, Wordpress | 2 Shopbuilder, Wordpress | 2026-01-05 | 6.1 Medium |
| The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13153 | 2 Logo Slider Wordpress, Wordpress | 2 Logo Slider Wordpress, Wordpress | 2026-01-05 | 6.1 Medium |
| The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-6797 | 2 Dyadyalesha, Wordpress | 2 Dl Robots.txt, Wordpress | 2026-01-02 | 4.8 Medium |
| The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-31211 | 1 Wordpress | 1 Wordpress | 2026-01-02 | 5.5 Medium |
| WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected. | ||||
| CVE-2023-23985 | 2 Ays-pro, Wordpress | 2 Quiz Maker, Wordpress | 2025-12-31 | 3.7 Low |
| Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4. | ||||
| CVE-2024-8914 | 1 Wordpress | 2 Thanh Toan Quet Ma Qr Code Tu Dong, Wordpress | 2025-12-31 | 7.2 High |
| The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-56055 | 2 Vibethemes, Wordpress | 2 Wordpress Learning Management System, Wordpress | 2025-12-31 | 8.5 High |
| Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2. | ||||
| CVE-2025-14913 | 2 Wordpress, Wpshuffle | 2 Wordpress, Frontend Post Submission Manager | 2025-12-29 | 5.3 Medium |
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | ||||
| CVE-2025-13958 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 5.9 Medium |
| The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2025-13407 | 2 Gravityforms, Wordpress | 2 Gravity Forms, Wordpress | 2025-12-29 | 6.8 Medium |
| The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. | ||||
| CVE-2023-36525 | 2 Wordpress, Wpjobboard | 2 Wordpress, Wpjobboard | 2025-12-29 | 8.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPJobBoard allows Blind SQL Injection.This issue affects WPJobBoard: from n/a through 5.9.0. | ||||
| CVE-2023-28619 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 4.3 Medium |
| Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8. | ||||
| CVE-2023-32120 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bob Hostel allows DOM-Based XSS.This issue affects Hostel: from n/a through 1.1.5.1. | ||||
| CVE-2023-40679 | 2 Jeweltheme, Wordpress | 2 Master Addons For Elementor, Wordpress | 2025-12-29 | 6.5 Medium |
| Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. | ||||
| CVE-2025-13417 | 1 Wordpress | 1 Wordpress | 2025-12-29 | 8.6 High |
| The Plugin Organizer WordPress plugin before 10.2.4 does not sanitize and escape a parameter before using it in a SQL statement, allowing subscribers to perform SQL injection attacks. | ||||
| CVE-2025-13773 | 2 Tychesoftwares, Wordpress | 2 Print Invoice & Delivery Notes For Woocommerce, Wordpress | 2025-12-29 | 9.8 Critical |
| The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2025-12654 | 2 Wordpress, Wpvividplugins | 2 Wordpress, Migration Backup Staging Wpvivd Backup And Migration | 2025-12-23 | 2.7 Low |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories. | ||||
| CVE-2025-13838 | 3 Htplugins, Woocommerce, Wordpress | 3 Wishsuite, Woocommerce, Wordpress | 2025-12-23 | 6.4 Medium |
| The WishSuite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter of the 'wishsuite_button' shortcode in all versions up to, and including, 1.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14080 | 2 Wordpress, Wpshuffle | 2 Wordpress, Frontend Post Submission Manager | 2025-12-23 | 5.3 Medium |
| The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors. | ||||