Total
35011 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5250 | 1 G5theme | 1 Grid Plus | 2026-04-08 | 8.8 High |
| The Grid Plus plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.3 via a shortcode attribute. This allows subscriber-level, and above, attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files with arbitrary content can be uploaded and included. | ||||
| CVE-2023-3132 | 1 Mainwp | 1 Mainwp Child | 2026-04-08 | 5.9 Medium |
| The MainWP Child plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.4.1.1 due to insufficient controls on the storage of back-up files. This makes it possible for unauthenticated attackers to extract sensitive data including the entire installations database if a backup occurs and the deletion of the back-up files fail. | ||||
| CVE-2023-3126 | 1 Webwizards | 1 B2bking | 2026-04-08 | 4.3 Medium |
| The B2BKing plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'b2bkingdownloadpricelist' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to retrieve the full pricing list of all products on the site. | ||||
| CVE-2023-3125 | 1 Webwizards | 1 B2bking | 2026-04-08 | 6.5 Medium |
| The B2BKing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'b2bking_save_price_import' function in versions up to, and including, 4.6.00. This makes it possible for Authenticated attackers with subscriber or customer-level permissions to modify the pricing of any product on the site. | ||||
| CVE-2023-0558 | 1 Contentstudio | 1 Contentstudio | 2026-04-08 | 8.2 High |
| The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys. | ||||
| CVE-2021-4380 | 1 Valvepress | 1 Pinterest Automatic Pin | 2026-04-08 | 9.8 Critical |
| The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors. | ||||
| CVE-2020-36723 | 1 Cridio | 1 Listingpro | 2026-04-08 | 5.3 Medium |
| The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the ~/listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email addresses, phone numbers, physical addresses and user post counts. | ||||
| CVE-2024-8516 | 1 Themesflat | 1 Themesflat Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract limited post information from draft and future scheduled posts. | ||||
| CVE-2024-7630 | 1 Relevanssi | 1 Relevanssi | 2026-04-08 | 5.3 Medium |
| The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 (Free) and 2.25.1 (Premium) via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts. | ||||
| CVE-2024-7412 | 1 Coffee2code | 1 No Update Nag | 2026-04-08 | 5.3 Medium |
| The No Update Nag plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.12. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2024-6621 | 1 Rebelcode | 1 Rss Aggregator | 2026-04-08 | 4.3 Medium |
| The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprss_activate_feed_source' and 'wprss_pause_feed_source' functions in all versions up to, and including, 4.23.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or pause existing RSS feeds. | ||||
| CVE-2024-5598 | 1 Advancedfilemanager | 1 Advanced File Manager | 2026-04-08 | 7.5 High |
| The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder. | ||||
| CVE-2024-4274 | 1 G5plus | 1 Essential Real Estate | 2026-04-08 | 4.3 Medium |
| The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments. | ||||
| CVE-2024-3228 | 1 Wpkube | 1 Kiwi Social Share | 2026-04-08 | 5.3 Medium |
| The Social Sharing Plugin – Kiwi plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.1.7 via the 'kiwi-nw-pinterest' class. This makes it possible for unauthenticated attackers to view limited content from password protected posts. | ||||
| CVE-2024-2340 | 1 Theme-fusion | 1 Avada | 2026-04-08 | 5.3 Medium |
| The Avada theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.11.6 via the '/wp-content/uploads/fusion-forms/' directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via an Avada created form with a file upload mechanism. | ||||
| CVE-2024-2112 | 1 10web | 1 Form Maker | 2026-04-08 | 5.9 Medium |
| The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive data including user signatures. | ||||
| CVE-2024-2107 | 1 Blossomthemes | 1 Blossom Spa | 2026-04-08 | 5.8 Medium |
| The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts. | ||||
| CVE-2024-2088 | 1 Nextscripts | 1 Social Networks Auto Poster | 2026-04-08 | 8.5 High |
| The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets. | ||||
| CVE-2024-1645 | 1 Wobbie | 1 Mollie Forms | 2026-04-08 | 4.3 Medium |
| The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to export payment data collected by this plugin. | ||||
| CVE-2024-1640 | 1 Bitapps | 1 Contact Form Builder | 2026-04-08 | 5.3 Medium |
| The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_update_form_entry AJAX action in all versions up to, and including, 2.10.1. This makes it possible for unauthenticated attackers to modify form submissions. | ||||