Wordpress CVEs and Security Vulnerabilities

Export limit exceeded: 11959 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (11959 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-2413	2 Elemntor, Wordpress	2 Ally – Web Accessibility & Usability, Wordpress	2026-04-22	7.5 High
The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account.
CVE-2024-35644	2 Pascal Birchler, Wordpress	2 Preferred Languages, Wordpress	2026-04-22	5.9 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pascal Birchler Preferred Languages allows DOM-Based XSS.This issue affects Preferred Languages: from n/a through 2.2.2.
CVE-2026-28104	2 Aryan Shirani Bid Abadi, Wordpress	2 Site Suggest, Wordpress	2026-04-22	6.5 Medium
Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9.
CVE-2026-28081	2 Themerex, Wordpress	2 Windsor, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0.
CVE-2026-28079	2 Axiomthemes, Wordpress	2 Conquerors, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Conquerors conquerors allows PHP Local File Inclusion.This issue affects Conquerors: from n/a through <= 1.2.13.
CVE-2026-28078	2 Stylemixthemes, Wordpress	2 Ulisting, Wordpress	2026-04-22	4.9 Medium
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
CVE-2026-28077	2 Themerex, Wordpress	2 Vapester, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10.
CVE-2026-28056	2 Themerex, Wordpress	2 Mckinney's Politics, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MCKinney's Politics mckinney-politics allows PHP Local File Inclusion.This issue affects MCKinney's Politics: from n/a through <= 1.2.8.
CVE-2026-28052	2 Themerex, Wordpress	2 Peter Mason, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Peter Mason petermason allows PHP Local File Inclusion.This issue affects Peter Mason: from n/a through <= 1.4.5.
CVE-2026-28051	2 Themerex, Wordpress	2 Yacht Rental, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.This issue affects Yacht Rental: from n/a through <= 2.6.
CVE-2026-28032	2 Themerex, Wordpress	2 Tuning, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tuning tuning allows PHP Local File Inclusion.This issue affects Tuning: from n/a through <= 1.3.
CVE-2026-28030	2 Themerex, Wordpress	2 Bonbon, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6.
CVE-2026-28129	2 Axiomthemes, Wordpress	2 Little Birdies, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Little Birdies little-birdies allows PHP Local File Inclusion.This issue affects Little Birdies: from n/a through <= 1.3.16.
CVE-2026-28026	2 Themerex, Wordpress	2 Motorix, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Motorix motorix allows PHP Local File Inclusion.This issue affects Motorix: from n/a through <= 1.6.
CVE-2026-28088	2 Themerex, Wordpress	2 Aqualots, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.
CVE-2026-28047	2 Magentech, Wordpress	2 Victo, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Victo victo allows PHP Local File Inclusion.This issue affects Victo: from n/a through <= 1.4.16.
CVE-2026-28096	2 Themerex, Wordpress	2 Wealthco, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion.This issue affects WealthCo: from n/a through <= 2.18.
CVE-2026-28097	2 Themerex, Wordpress	2 Artrium, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Artrium artrium allows PHP Local File Inclusion.This issue affects Artrium: from n/a through <= 1.0.14.
CVE-2026-28128	2 Themerex, Wordpress	2 Verse, Wordpress	2026-04-22	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Verse verse allows PHP Local File Inclusion.This issue affects Verse: from n/a through <= 1.7.0.
CVE-2026-28127	2 E-plugins, Wordpress	2 Lawyer Directory, Wordpress	2026-04-22	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Lawyer Directory lawyer-directory allows Reflected XSS.This issue affects Lawyer Directory: from n/a through <= 1.3.2.

« first previous Page 313 of 598. next last »