Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 9758 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-63042	2 Themeum, Wordpress	2 Tutor Lms Elementor Addons, Wordpress	2026-02-02	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a through <= 3.0.1.
CVE-2025-63037	1 Wordpress	1 Wordpress	2026-02-02	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.
CVE-2025-53427	1 Wordpress	1 Wordpress	2026-02-02	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chibueze Okechukwu SEO Pyramid seo-pyramid allows Reflected XSS.This issue affects SEO Pyramid: from n/a through <= 1.9.8.
CVE-2025-52735	2 Wordpress, Xlplugins	2 Wordpress, Nextmove	2026-02-02	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through <= 2.21.0.
CVE-2025-52734	1 Wordpress	1 Wordpress	2026-02-02	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 CropRefine croprefine allows Reflected XSS.This issue affects CropRefine: from n/a through <= 1.2.1.
CVE-2026-1165	2 Ays-pro, Wordpress	2 Popup Box, Wordpress	2026-02-02	4.3 Medium
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
CVE-2026-22461	2 Webappick, Wordpress	2 Ctx Feed, Wordpress	2026-01-30	5.3 Medium
Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CTX Feed: from n/a through <= 6.6.18.
CVE-2025-13001	2 Kieranoshea, Wordpress	2 Donations, Wordpress	2026-01-30	4.1 Medium
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
CVE-2025-13000	2 Jimbob1953, Wordpress	2 Db-access, Wordpress	2026-01-30	7.7 High
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
CVE-2025-8889	2 Eliehanna, Wordpress	3 Compress And Upload Plugin, Compress And Upload Plugin, Wordpress	2026-01-30	3.8 Low
The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
CVE-2025-63045	2 Averta, Wordpress	2 Master Slider Pro, Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in averta Master Slider Pro masterslider allows DOM-Based XSS.This issue affects Master Slider Pro: from n/a through <= 3.7.12.
CVE-2022-47425	2 Reputeinfosystems, Wordpress	2 Armember, Wordpress	2026-01-30	4.3 Medium
Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10.
CVE-2025-68076	2 Select-themes, Wordpress	2 Stockholm Core, Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.
CVE-2025-67983	2 Osama.esh, Wordpress	2 Wp Visitor Statistics (real Time Traffic), Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.
CVE-2025-67951	2 Wordpress, Wpzoom	2 Wordpress, Wpzoom Addons For Elementor	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.
CVE-2025-66102	1 Wordpress	1 Wordpress	2026-01-30	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7.
CVE-2025-66091	2 Design, Wordpress	2 Stylish Cost Calculator, Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows DOM-Based XSS.This issue affects Stylish Cost Calculator: from n/a through <= 8.1.5.
CVE-2025-64383	1 Wordpress	1 Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Qode Qi Blocks qi-blocks allows Stored XSS.This issue affects Qi Blocks: from n/a through <= 1.4.3.
CVE-2025-64381	2 Wordpress, Wpdevelop	2 Wordpress, Booking Calendar	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevelop Booking Calendar booking allows Stored XSS.This issue affects Booking Calendar: from n/a through <= 10.14.7.
CVE-2025-64380	3 Booster, Pluggabl, Wordpress	3 Booster For Woocommerce, Booster For Woocommerce, Wordpress	2026-01-30	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Stored XSS.This issue affects Booster for WooCommerce: from n/a through <= 7.3.2.

« first previous Page 8 of 488. next last »