Wordpress CVEs and Security Vulnerabilities

Export limit exceeded: 347729 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (11958 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-11499	2 Essekia, Wordpress	2 Tablesome Table, Wordpress	2026-04-22	9.8 Critical
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in configurations where unauthenticated users have been provided with a method for adding featured images, and the workflow trigger is created.
CVE-2025-62043	2 Wordpress, Wpsight	2 Wordpress, Wpcasa	2026-04-22	6.5 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1.
CVE-2026-0677	2 Totalsuite, Wordpress	2 Totalcontest, Wordpress	2026-04-22	N/A
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.
CVE-2026-32583	2 Webnus, Wordpress	2 Modern Events Calendar, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.
CVE-2024-32537	2 Joshuae1974, Wordpress	2 Flash Video Player, Wordpress	2026-04-22	7.1 High
Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4.
CVE-2024-31119	2 Vasilis Triantafyllou, Wordpress	2 Special Box For Content, Wordpress	2026-04-22	5.9 Medium
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1.
CVE-2026-3584	2 Wordpress, Wpchill	2 Wordpress, Kali Forms — Contact Form & Drag-and-drop Builder	2026-04-22	9.8 Critical
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
CVE-2026-32376	2 Raratheme, Wordpress	2 Kalon, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Kalon kalon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalon: from n/a through <= 1.2.9.
CVE-2026-32543	2 Cyberchimps, Wordpress	2 Responsive Blocks, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in CyberChimps Responsive Blocks responsive-block-editor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Blocks: from n/a through <= 2.2.0.
CVE-2026-32447	2 Vito Peleg, Wordpress	2 Atarim, Wordpress	2026-04-22	4.3 Medium
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.2.
CVE-2026-32411	2 Simpma, Wordpress	2 Embed Calendly, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simpma Embed Calendly embed-calendly-scheduling allows Stored XSS.This issue affects Embed Calendly: from n/a through <= 4.4.
CVE-2026-32439	2 Webgeniuslab, Wordpress	2 Bighearts, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in WebGeniusLab BigHearts bighearts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BigHearts: from n/a through <= 3.1.14.
CVE-2026-32360	2 Richplugins, Wordpress	2 Rich Showcase For Google Reviews, Wordpress	2026-04-22	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in richplugins Rich Showcase for Google Reviews widget-google-reviews allows Stored XSS.This issue affects Rich Showcase for Google Reviews: from n/a through <= 6.9.4.3.
CVE-2026-32361	2 Marketing Fire, Wordpress	2 Editorial Calendar, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0.
CVE-2026-32462	2 Liton Arefin, Wordpress	2 Master Addons For Elementor, Wordpress	2026-04-22	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
CVE-2026-32456	2 Janis Elsts, Wordpress	2 Admin Menu Editor, Wordpress	2026-04-22	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.
CVE-2026-32454	2 Theme-fusion, Wordpress	2 Avada, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
CVE-2026-32362	2 Activity-log.com, Wordpress	2 Wp Sessions Time Monitoring Full Automatic, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in activity-log.com WP Sessions Time Monitoring Full Automatic activitytime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through <= 1.1.3.
CVE-2026-32450	2 Realmag777, Wordpress	2 Active Products Tables For Woocommerce, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.7.
CVE-2026-32356	2 Robosoft, Wordpress	2 Robo Gallery, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robosoft Robo Gallery robo-gallery allows DOM-Based XSS.This issue affects Robo Gallery: from n/a through <= 5.1.2.

« first previous Page 307 of 598. next last »