Filtered by vendor Wordpress
Subscriptions
Total
13785 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32338 | 2 Rarathemes, Wordpress | 2 Construction Landing Page, Wordpress | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Construction Landing Page construction-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Landing Page: from n/a through <= 1.4.1. | ||||
| CVE-2026-32357 | 2 Katsushi Kawamori, Wordpress | 2 Simple Blog Card, Wordpress | 2026-04-22 | 6.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Katsushi Kawamori Simple Blog Card simple-blog-card allows Server Side Request Forgery.This issue affects Simple Blog Card: from n/a through <= 2.37. | ||||
| CVE-2026-32361 | 2 Marketing Fire, Wordpress | 2 Editorial Calendar, Wordpress | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0. | ||||
| CVE-2026-32486 | 2 Wordpress, Wptravelengine | 2 Wordpress, Travel Booking | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9. | ||||
| CVE-2026-32368 | 2 Delphiknight, Wordpress | 2 Geo To Lat, Wordpress | 2026-04-22 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19. | ||||
| CVE-2026-3891 | 2 Linknacional, Wordpress | 2 Pix For Woocommerce, Wordpress | 2026-04-22 | 9.8 Critical |
| The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2026-32382 | 2 Raratheme, Wordpress | 2 Digital Download, Wordpress | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Digital Download digital-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Digital Download: from n/a through <= 1.1.4. | ||||
| CVE-2026-32339 | 2 Raratheme, Wordpress | 2 Bakes And Cakes, Wordpress | 2026-04-22 | 5.3 Medium |
| Missing Authorization vulnerability in raratheme Bakes And Cakes bakes-and-cakes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bakes And Cakes: from n/a through <= 1.2.9. | ||||
| CVE-2026-4063 | 2 Wordpress, Wpzoom | 2 Wordpress, Social Icons Widget & Block – Social Media Icons & Share Buttons | 2026-04-22 | 4.3 Medium |
| The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter. | ||||
| CVE-2026-32349 | 2 Andy Fragen, Wordpress | 2 Embed Pdf Viewer, Wordpress | 2026-04-22 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Andy Fragen Embed PDF Viewer embed-pdf-viewer allows Server Side Request Forgery.This issue affects Embed PDF Viewer: from n/a through <= 2.4.7. | ||||
| CVE-2026-28027 | 2 Themerex, Wordpress | 2 Kayon, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kayon kayon allows PHP Local File Inclusion.This issue affects Kayon: from n/a through <= 1.3. | ||||
| CVE-2026-1644 | 2 Glowlogix, Wordpress | 2 Wp Frontend Profile, Wordpress | 2026-04-22 | 4.3 Medium |
| The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-28094 | 2 Themerex, Wordpress | 2 Rexcoin, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX RexCoin rexcoin allows PHP Local File Inclusion.This issue affects RexCoin: from n/a through <= 1.2.6. | ||||
| CVE-2026-28033 | 2 Themerex, Wordpress | 2 Edifice, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.This issue affects Edifice: from n/a through <= 1.8. | ||||
| CVE-2026-28078 | 2 Stylemixthemes, Wordpress | 2 Ulisting, Wordpress | 2026-04-22 | 4.9 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0. | ||||
| CVE-2026-28048 | 2 Magentech, Wordpress | 2 Flashmart, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech FlashMart flashmart allows PHP Local File Inclusion.This issue affects FlashMart: from n/a through <= 2.0.15. | ||||
| CVE-2026-28043 | 2 Themerex, Wordpress | 2 Healer - Doctor, Clinic & Medical Wordpress Theme, Wordpress | 2026-04-22 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through <= 1.0.0. | ||||
| CVE-2026-28054 | 2 Themerex, Wordpress | 2 Legal Stone, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legal Stone legal-stone allows PHP Local File Inclusion.This issue affects Legal Stone: from n/a through <= 1.2.11. | ||||
| CVE-2026-28057 | 2 Themerex, Wordpress | 2 Mandala, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Mandala mandala allows PHP Local File Inclusion.This issue affects Mandala: from n/a through <= 2.8. | ||||
| CVE-2026-28063 | 2 Themerex, Wordpress | 2 Asia Garden, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Asia Garden asia-garden allows PHP Local File Inclusion.This issue affects Asia Garden: from n/a through <= 1.3.1. | ||||