Filtered by vendor Wordpress
Subscriptions
Total
9758 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0658 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.3 Medium |
| The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | ||||
| CVE-2026-1065 | 2 10web, Wordpress | 2 Form Maker, Wordpress | 2026-02-04 | 7.2 High |
| The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | ||||
| CVE-2026-0950 | 2 Brainstormforce, Wordpress | 2 Spectra, Wordpress | 2026-02-04 | 5.3 Medium |
| The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | ||||
| CVE-2026-24951 | 2 Saadiqbal, Wordpress | 2 Mycred, Wordpress | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through <= 2.9.7.3. | ||||
| CVE-2026-1058 | 2 10web, Wordpress | 2 Form Maker, Wordpress | 2026-02-04 | 7.1 High |
| The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. | ||||
| CVE-2026-1730 | 2 Skirridsystems, Wordpress | 2 Os Datahub Maps, Wordpress | 2026-02-04 | 8.8 High |
| The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2026-1447 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-02-04 | 5.4 Medium |
| The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. | ||||
| CVE-2026-1210 | 2 Happymonster, Wordpress | 2 Happy Addons For Elementor, Wordpress | 2026-02-04 | 6.4 Medium |
| The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-24957 | 2 Wordpress, Wpchill | 2 Wordpress, Strong Testimonials | 2026-02-04 | 6.5 Medium |
| Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through <= 3.2.20. | ||||
| CVE-2026-24939 | 2 Wordpress, Wpchill | 2 Wordpress, Modula Image Gallery | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modula Image Gallery: from n/a through <= 2.13.6. | ||||
| CVE-2026-24962 | 1 Wordpress | 1 Wordpress | 2026-02-04 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9. | ||||
| CVE-2026-24961 | 2 Themegoods, Wordpress | 2 Grand Blog, Wordpress | 2026-02-04 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through < 3.1.5. | ||||
| CVE-2026-1375 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-02-04 | 8.1 High |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. | ||||
| CVE-2026-24954 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.0.8. | ||||
| CVE-2026-24945 | 2 Themefic, Wordpress | 2 Ultimate Addons For Contact Form 7, Wordpress | 2026-02-04 | 5.3 Medium |
| Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. | ||||
| CVE-2026-24940 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through <= 1.3.3. | ||||
| CVE-2026-24947 | 2 La-studioweb, Wordpress | 2 Element Kit For Elementor, Wordpress | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3. | ||||
| CVE-2025-14274 | 3 Unitecms, Unlimited-elements, Wordpress | 3 Unlimited Elements For Elementor, Unlimited Elements For Elementor, Wordpress | 2026-02-04 | 5.4 Medium |
| The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0617 | 2 Latepoint, Wordpress | 2 Latepoint, Wordpress | 2026-02-04 | 7.2 High |
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history. | ||||
| CVE-2026-24958 | 2 Crocoblock, Wordpress | 2 Jetelements For Elementor, Wordpress | 2026-02-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. | ||||