Filtered by vendor Wordpress
Subscriptions
Total
11922 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-30991 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada WPDM – Premium Packages wpdm-premium-packages allows Stored XSS.This issue affects WPDM – Premium Packages: from n/a through <= 6.0.6. | ||||
| CVE-2024-29762 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) allows Stored XSS.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through 0.5.8.1. | ||||
| CVE-2025-30998 | 2 Rico Macchi, Wordpress | 2 Wp Links Page, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rico Macchi WP Links Page wp-links-page allows SQL Injection.This issue affects WP Links Page: from n/a through <= 4.9.6. | ||||
| CVE-2025-9115 | 2 Etsy Shop Project, Wordpress | 2 Etsy Shop, Wordpress | 2026-04-15 | 5.6 Medium |
| The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | ||||
| CVE-2025-9334 | 2 Codesolz, Wordpress | 2 Better Find And Replace, Wordpress | 2026-04-15 | 8.8 High |
| The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions. | ||||
| CVE-2025-31007 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alvind Billplz Addon for Contact Form 7 billplz-for-contact-form-7 allows Reflected XSS.This issue affects Billplz Addon for Contact Form 7: from n/a through <= 1.2.0. | ||||
| CVE-2024-29788 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podlove Podlove Web Player allows Stored XSS.This issue affects Podlove Web Player: from n/a through 5.7.1. | ||||
| CVE-2024-8760 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. | ||||
| CVE-2025-52764 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in marielav flexoslider flexoslider allows Reflected XSS.This issue affects flexoslider: from n/a through <= 1.0004. | ||||
| CVE-2024-8860 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-04-15 | 4.3 Medium |
| The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively. | ||||
| CVE-2025-31020 | 2 Webliberty, Wordpress | 2 Simple Spoiler, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webliberty Simple Spoiler simple-spoiler allows Stored XSS.This issue affects Simple Spoiler: from n/a through <= 1.4. | ||||
| CVE-2025-31023 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Purab Seo Meta Tags seo-meta-tags allows Cross Site Request Forgery.This issue affects Seo Meta Tags: from n/a through <= 1.4. | ||||
| CVE-2024-8874 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The AJAX Login and Registration modal popup + inline form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.24. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-29908 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kienso Co-marquage service-public.Fr allows Stored XSS.This issue affects Co-marquage service-public.Fr: from n/a through 0.5.71. | ||||
| CVE-2024-29912 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Baptiste Placé iCalendrier allows Stored XSS.This issue affects iCalendrier: from n/a through 1.80. | ||||
| CVE-2025-62138 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in cedcommerce WP Advanced PDF wp-advanced-pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through <= 1.1.7. | ||||
| CVE-2025-31062 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist wishlist allows Retrieve Embedded Sensitive Data.This issue affects Wishlist: from n/a through <= 2.1.0. | ||||
| CVE-2025-31063 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in redqteam Wishlist wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wishlist: from n/a through <= 2.1.0. | ||||
| CVE-2025-66139 | 2 Merkulove, Wordpress | 2 Audier For Elementor, Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. | ||||
| CVE-2025-13408 | 2 Foxtheme, Wordpress | 2 Foxtool All-in-one, Wordpress | 2026-04-15 | 4.3 Medium |
| The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtool_login_google() function. This makes it possible for unauthenticated attackers to establish an OAuth Connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||