Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11698 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5456 | 3 Panda Video, Pandavideo, Wordpress | 3 Panda Video, Panda Video, Wordpress | 2026-04-08 | 8.8 High |
| The Panda Video plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.0 via the 'selected_button' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-4984 | 2 Wordpress, Yoast | 2 Wordpress, Yoast Seo | 2026-04-08 | 6.4 Medium |
| The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-4698 | 2 Uapp, Wordpress | 2 Testimonial Carousel For Elementor, Wordpress | 2026-04-08 | 6.4 Medium |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'show_line_text ' and 'slide_button_hover_animation' parameters in versions up to, and including, 10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2024-35713 is likely a duplicate of this issue. | ||||
| CVE-2024-4347 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 7.2 High |
| The WP Fastest Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.6 via the specificDeleteCache function. This makes it possible for authenticated attackers to delete arbitrary files on the server, which can include wp-config.php files of the affected site or other sites in a shared hosting environment. | ||||
| CVE-2024-4135 | 2 Joomunited, Wordpress | 2 Wp Latest Posts, Wordpress | 2026-04-08 | 5.4 Medium |
| The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-4097 | 2 Stylemixthemes, Wordpress | 2 Cost Calculator Builder, Wordpress | 2026-04-08 | 7.2 High |
| The Cost Calculator Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG upload feature in all versions up to, and including, 3.1.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3991 | 2 Hasthemes, Wordpress | 3 Shoplentor, Shoplentor, Wordpress | 2026-04-08 | 6.4 Medium |
| The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute in the Horizontal Product Filter in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3952 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Ad widget in all versions up to, and including, 1.52.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3929 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Content Views – Post Grid & Filter, Recent Posts, Category Posts, & More (Gutenberg Blocks and Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Widget Post Overlay block in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3807 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 8.8 High |
| The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1. | ||||
| CVE-2024-3806 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||||
| CVE-2024-3677 | 2 Tinyweb, Wordpress | 2 Ultimate 410 Gone Status Code, Wordpress | 2026-04-08 | 6.4 Medium |
| The Ultimate 410 Gone Status Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 410 entries in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3664 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The Quick Featured Images plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the set_thumbnail and delete_thumbnail functions in all versions up to, and including, 13.7.0. This makes it possible for authenticated attackers, with contributor-level access and above, to delete thumbnails and add thumbnails to posts they did not author. | ||||
| CVE-2024-3595 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Pure Chat – Live Chat Plugin & More! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the purechatwid and purechatwname parameter in all versions up to, and including, 2.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3312 | 2 Tonjoostudio, Wordpress | 2 Easy Custom Auto Excerpt, Wordpress | 2026-04-08 | 5.3 Medium |
| The Easy Custom Auto Excerpt plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.12. This makes it possible for unauthenticated attackers to obtain excerpts of password-protected posts. | ||||
| CVE-2024-3072 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The ACF Front End Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_texts() function in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post title, content, and ACF data. | ||||
| CVE-2024-3071 | 1 Wordpress | 2 Acf-on-the-go, Wordpress | 2026-04-08 | 4.3 Medium |
| The ACF On-The-Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the acfg_update_fields() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary post titles, descriptions, and ACF values. | ||||
| CVE-2024-3031 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.4 Medium |
| The Fluid Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-3027 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-04-08 | 6.4 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks. | ||||
| CVE-2024-2970 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The News Wall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the nwap_newslist_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and modify news lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||