Filtered by vendor Wordpress
Subscriptions
Total
11922 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9104 | 2 Tophive, Wordpress | 2 Ultimate Ai, Wordpress | 2026-04-15 | 5.6 Medium |
| The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers. | ||||
| CVE-2025-25097 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kwiliarty External Video For Everybody external-video-for-everybody allows Stored XSS.This issue affects External Video For Everybody: from n/a through <= 2.1.1. | ||||
| CVE-2024-45453 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect jf3-maintenance-mode.This issue affects Maintenance Redirect: from n/a through <= 2.0.1. | ||||
| CVE-2025-25099 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in accreteinfosolution Appointment Buddy Widget appointment-buddy-online-appointment-booking-by-accrete allows Cross-Site Scripting (XSS).This issue affects Appointment Buddy Widget: from n/a through <= 1.2. | ||||
| CVE-2025-25105 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in coffeestudios Pop Up popup-seo-optimized allows Stored XSS.This issue affects Pop Up: from n/a through <= 0.1. | ||||
| CVE-2025-25107 | 2 Sainwp, Wordpress | 2 Onestore Sites, Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites onestore-sites allows Cross Site Request Forgery.This issue affects OneStore Sites: from n/a through <= 0.1.1. | ||||
| CVE-2026-1271 | 2 Metagauss, Wordpress | 2 Profilegrid, Wordpress | 2026-04-15 | 5.3 Medium |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user's profile picture or cover image, including administrators. | ||||
| CVE-2024-9187 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. | ||||
| CVE-2025-25116 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in sudipto Link to URL / Post link-to-url-post allows Blind SQL Injection.This issue affects Link to URL / Post: from n/a through <= 1.3. | ||||
| CVE-2025-28987 | 2 Pressforward, Wordpress | 2 Pressforward, Wordpress | 2026-04-15 | N/A |
| Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward pressforward allows Server Side Request Forgery.This issue affects PressForward: from n/a through <= 5.9.5. | ||||
| CVE-2025-25143 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ibasit GlobalQuran globalquran allows Cross Site Request Forgery.This issue affects GlobalQuran: from n/a through <= 1.0. | ||||
| CVE-2025-28997 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in EXEIdeas International WP AutoKeyword wp-autokeyword allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP AutoKeyword: from n/a through <= 1.0. | ||||
| CVE-2025-25151 | 2 Stylemixthemes, Wordpress | 2 Ulisting, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing ulisting allows SQL Injection.This issue affects uListing: from n/a through <= 2.1.6. | ||||
| CVE-2024-9304 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The LocateAndFilter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-47312 | 2 Wordpress, Wpgrim | 2 Wordpress, Classic Editor And Classic Widgets | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Grim Classic Editor and Classic Widgets classic-editor-and-classic-widgets allows SQL Injection.This issue affects Classic Editor and Classic Widgets: from n/a through <= 1.4.1. | ||||
| CVE-2025-25173 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FasterThemes FastBook fastbook-responsive-appointment-booking-and-scheduling-system allows Stored XSS.This issue affects FastBook: from n/a through <= 1.1. | ||||
| CVE-2025-5395 | 2 Valvepress, Wordpress | 2 Wordpress Automatic Plugin, Wordpress | 2026-04-15 | 8.8 High |
| The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-9346 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Embed videos and respect privacy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'v' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-22261 | 2 Pixelite, Wordpress | 2 Wp Fullcalendar, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Stored XSS.This issue affects WP FullCalendar: from n/a through <= 1.5. | ||||
| CVE-2024-9386 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||