Filtered by vendor Wordpress
Subscriptions
Total
11922 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59007 | 3 Elementor, Themesflat, Wordpress | 3 Elementor, Tf Woo Product Grid Addon For Elementor, Wordpress | 2026-04-15 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1. | ||||
| CVE-2025-58971 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AmentoTech Doctreat doctreat allows Reflected XSS.This issue affects Doctreat: from n/a through <= 1.6.7. | ||||
| CVE-2025-58970 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7. | ||||
| CVE-2025-58921 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Tactical Popup wp-tactical-popup allows Reflected XSS.This issue affects WP Tactical Popup: from n/a through <= 1.1. | ||||
| CVE-2025-58858 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBean WPB Image Widget wpb-image-widget allows Stored XSS.This issue affects WPB Image Widget: from n/a through <= 1.1. | ||||
| CVE-2025-49300 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 2.7 Low |
| Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8. | ||||
| CVE-2025-49053 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kadesthemes WP Airdrop Manager airdrop allows Stored XSS.This issue affects WP Airdrop Manager: from n/a through <= 1.0.5. | ||||
| CVE-2025-58814 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ram Ratan Maurya Stagtools stagtools allows Stored XSS.This issue affects Stagtools: from n/a through <= 2.3.8. | ||||
| CVE-2025-47444 | 2 Liquidweb, Wordpress | 2 Givewp, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Damian Góra FiboSearch ajax-search-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiboSearch: from n/a through <= 1.32.1. | ||||
| CVE-2024-5855 | 2 Media Hygiene, Wordpress | 2 Media Hygiene, Wordpress | 2026-04-15 | 4.3 Medium |
| The Media Hygiene: Remove or Delete Unused Images and More! plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the bulk_action_delete and delete_single_image_call AJAX actions in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments. A nonce check was added in version 3.0.1, however, it wasn't until version 3.0.2 that a capability check was added. | ||||
| CVE-2024-32137 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Solwin User Activity Log Pro.This issue affects User Activity Log Pro: from n/a through 2.3.4. | ||||
| CVE-2025-58664 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Azizul Hasan Text To Speech TTS Accessibility text-to-audio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Text To Speech TTS Accessibility: from n/a through <= 1.9.30. | ||||
| CVE-2024-38715 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ExS ExS Widgets allows PHP Local File Inclusion.This issue affects ExS Widgets: from n/a through 0.3.1. | ||||
| CVE-2025-10134 | 2 Bearsthemes, Wordpress | 2 Goza Nonprofit Charity Wordpress Theme, Wordpress | 2026-04-15 | 9.1 Critical |
| The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-26774 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rock Solid Responsive Modal Builder for High Conversion – Easy Popups easy-popups allows Reflected XSS.This issue affects Responsive Modal Builder for High Conversion – Easy Popups: from n/a through <= 1.5.0. | ||||
| CVE-2025-4212 | 2 Wordpress, Wpwham | 2 Wordpress, Checkout Files Upload For Woocommerce | 2026-04-15 | 7.2 High |
| The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page. | ||||
| CVE-2025-58609 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Stored XSS.This issue affects Latest Post Shortcode: from n/a through <= 14.0.3. | ||||
| CVE-2024-3491 | 2 Magazine3, Wordpress | 2 Schema & Structured Data For Wp & Amp, Wordpress | 2026-04-15 | 6.4 Medium |
| The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's "How To" and "FAQ" Blocks in all versions up to, and including, 1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-44017 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in MinHyeong Lim MH Board mh-board allows PHP Local File Inclusion.This issue affects MH Board: from n/a through <= 1.3.2.1. | ||||
| CVE-2025-58241 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snapwidget SnapWidget Social Photo Feed Widget snapwidget-wp-instagram-widget allows DOM-Based XSS.This issue affects SnapWidget Social Photo Feed Widget: from n/a through <= 1.1.0. | ||||