Total
35011 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-13794 | 1 Wpplugins | 1 Hide My Wp Ghost | 2026-04-08 | 5.3 Medium |
| The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location. | ||||
| CVE-2024-9889 | 1 Elementinvader | 1 Elementinvader Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.9 via the Page Loader widget. This makes it possible for authenticated attackers, with contributor-level access and above, to view private/draft/password protected posts, pages, and Elementor templates that they should not have access to. | ||||
| CVE-2024-13611 | 1 Wordplus | 1 Better Messages | 2026-04-08 | 7.5 High |
| The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages. | ||||
| CVE-2024-5868 | 1 Wpwebelite | 1 Woocommerce Social Login | 2026-04-08 | 6.5 Medium |
| The WooCommerce - Social Login plugin for WordPress is vulnerable to Email Verification in all versions up to, and including, 2.6.2 via the use of insufficiently random activation code. This makes it possible for unauthenticated attackers to bypass the email verification. | ||||
| CVE-2024-6757 | 1 Elementor | 1 Website Builder | 2026-04-08 | 4.3 Medium |
| The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract either excerpt data or titles of private or password-protected posts. | ||||
| CVE-2024-8494 | 1 Elementor | 1 Website Builder | 2026-04-08 | 4.3 Medium |
| The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.10 via the 'elementor-template' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of Private, Pending, and Draft Templates. The vulnerability was partially patched in version 3.24.4. | ||||
| CVE-2024-2409 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 9.8 Critical |
| The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.1. This is due to insufficient validation checks within the _register_user() function called by the 'wp_ajax_nopriv_stm_lms_register' AJAX action. This makes it possible for unauthenticated attackers to register a user with administrator-level privileges when MasterStudy LMS Pro is installed and the LMS Forms Editor add-on is enabled. | ||||
| CVE-2024-4266 | 1 Wpmet | 1 Metform Elementor Contact Form Builder | 2026-04-08 | 5.3 Medium |
| The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users. | ||||
| CVE-2025-0764 | 1 Gvectors | 1 Wpforo Forum | 2026-04-08 | 6.5 Medium |
| The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level privileges or higher, to read arbitrary files on the server. | ||||
| CVE-2021-4360 | 1 Wpruby | 1 Controlled Admin Access | 2026-04-08 | 9.9 Critical |
| The Controlled Admin Access plugin for WordPress is vulnerable to Privilege Escalation in versions up to, and including, 1.5.5 by not properly restricting access to the configuration page. This makes it possible for attackers to create a new administrator role with unrestricted access. | ||||
| CVE-2024-10352 | 1 Wpthemespace | 1 Magical Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The Magical Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the get_content_type function in includes/widgets/content-reveal.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-12861 | 1 Villatheme | 1 W2s | 2026-04-08 | 6.5 Medium |
| The W2S – Migrate WooCommerce to Shopify plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.2.1 via the 'viw2s_view_log' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-13646 | 1 Aakashbhagat | 1 Single User Chat | 2026-04-08 | 8.1 High |
| The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and including, 0.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to update option values to 'login' on the WordPress site. This may be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. | ||||
| CVE-2024-13821 | 1 Wpbookingcalendar | 1 Booking Calendar | 2026-04-08 | 5.3 Medium |
| The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved. | ||||
| CVE-2020-36848 | 1 Boldgrid | 1 Total Upkeep | 2026-04-08 | 7.5 High |
| The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.14.9 via the env-info.php and restore-info.json files. This makes it possible for unauthenticated attackers to find the location of back-up files and subsequently download them. | ||||
| CVE-2024-12008 | 1 Boldgrid | 1 W3 Total Cache | 2026-04-08 | 5.3 Medium |
| The W3 Total Cache plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.8.1 through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF attacks. Note: the debug feature must be enabled for this to be a concern, and it is disabled by default. | ||||
| CVE-2024-5709 | 1 Wpbakery | 2 Page Builder, Wpbakery Visual Composer | 2026-04-08 | 8.8 High |
| The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-6099 | 1 Thimpress | 1 Learnpress | 2026-04-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. | ||||
| CVE-2025-0177 | 1 Javothemes | 1 Javo Core | 2026-04-08 | 9.8 Critical |
| The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role. | ||||
| CVE-2024-0708 | 1 Fatcatapps | 1 Landing Page Cat | 2026-04-08 | 5.3 Medium |
| The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to access landing pages that may not be public. | ||||