Export limit exceeded: 13002 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 359439 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13002 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13002 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64363 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0. | ||||
| CVE-2025-10178 | 2 Creativemindssolutions, Wordpress | 2 Cm Business Directory, Wordpress | 2026-04-15 | 6.4 Medium |
| The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10137 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-3027 | 2 Nextendweb, Wordpress | 2 Smart Slider 3, Wordpress | 2026-04-15 | 6.4 Medium |
| The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the upload function in all versions up to, and including, 3.5.1.22. This makes it possible for authenticated attackers, with contributor-level access and above, to upload files, including SVG files, which can be used to conduct stored cross-site scripting attacks. | ||||
| CVE-2025-64367 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through <= 4.2.6. | ||||
| CVE-2024-32814 | 2 Wordpress, Zorem | 2 Wordpress, Advanced Local Pickup For Woocommerce | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.6.1. | ||||
| CVE-2024-13820 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Melhor Envio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.15.11 via the 'run' function, which uses a hardcoded hash. This makes it possible for unauthenticated attackers to extract sensitive data including environment information, plugin tokens, shipping configurations, and limited vendor information. | ||||
| CVE-2025-49341 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Alex Furr PDF Creator Lite pdf-creator-lite allows Stored XSS.This issue affects PDF Creator Lite: from n/a through <= 1.2. | ||||
| CVE-2025-8489 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor, Wordpress | 2026-04-15 | 9.8 Critical |
| The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts. | ||||
| CVE-2024-12574 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| The SVG Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-13072 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-9213 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. This is due to missing or incorrect nonce validation on the 'handleToken' function. This makes it possible for unauthenticated attackers to update a user's authorization token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Once the token is updated, an attacker can update the user's password and email address. | ||||
| CVE-2025-49379 | 3 Silverplugins217, Woocommerce, Wordpress | 3 Custom Fields Account Registration For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 7.2 High |
| Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through <= 1.2. | ||||
| CVE-2025-49910 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.2 High |
| Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPGuppy: from n/a through <= 1.1.4. | ||||
| CVE-2025-49912 | 2 Nks, Wordpress | 2 Email Subscription Popup, Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nks Email Subscription Popup email-subscribe allows Stored XSS.This issue affects Email Subscription Popup: from n/a through <= 1.2.26. | ||||
| CVE-2025-14973 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.8 Medium |
| The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | ||||
| CVE-2025-12373 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the save_settings function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-59132 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Badi Jones Duplicate Content Cure duplicate-content-cure allows Cross Site Request Forgery.This issue affects Duplicate Content Cure: from n/a through <= 1.0. | ||||
| CVE-2024-12563 | 2 Wordpress, Wp Sharks | 2 Wordpress, S2member Pro | 2026-04-15 | 8.8 High |
| The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. | ||||
| CVE-2024-11280 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. | ||||