Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 12127 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-22463	2 Micro.company, Wordpress	2 Form To Chat App, Wordpress	2026-04-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through <= 1.2.5.
CVE-2026-22466	2 Chandnipatel, Wordpress	2 Wp Mapit, Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP MapIt: from n/a through <= 3.0.3.
CVE-2026-22470	2 Firestorm Plugins, Wordpress	2 Firestorm Professional Real Estate, Wordpress	2026-04-16	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection.This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11.
CVE-2026-22483	1 Wordpress	1 Wordpress	2026-04-16	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery.This issue affects teachPress: from n/a through <= 9.0.12.
CVE-2026-24354	1 Wordpress	1 Wordpress	2026-04-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS.This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1.
CVE-2026-24544	2 Harmonicdesign, Wordpress	2 Hd Quiz, Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HD Quiz: from n/a through <= 2.0.9.
CVE-2026-24589	2 Cargus Ecommerce, Wordpress	2 Cargus, Wordpress	2026-04-16	5.3 Medium
Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data.This issue affects Cargus: from n/a through <= 1.5.8.
CVE-2026-24605	2 Pencilwp, Wordpress	2 X Addons For Elementor, Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects X Addons for Elementor: from n/a through <= 1.0.23.
CVE-2026-24947	2 La-studioweb, Wordpress	2 Element Kit For Elementor, Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.
CVE-2026-24962	1 Wordpress	1 Wordpress	2026-04-16	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9.
CVE-2026-24966	1 Wordpress	1 Wordpress	2026-04-16	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery.This issue affects Copyscape Premium: from n/a through <= 1.4.1.
CVE-2026-24985	1 Wordpress	1 Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2.
CVE-2026-24996	1 Wordpress	1 Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPElemento Importer: from n/a through <= 0.6.4.
CVE-2026-25016	1 Wordpress	1 Wordpress	2026-04-16	4.3 Medium
Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio Popups: from n/a through <= 1.3.5.
CVE-2026-25019	2 Vito Peleg, Wordpress	2 Atarim, Wordpress	2026-04-16	5.3 Medium
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.1.
CVE-2026-25024	1 Wordpress	1 Wordpress	2026-04-16	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery.This issue affects ThirstyAffiliates: from n/a through <= 3.11.9.
CVE-2026-1860	2 Wordpress, Wpchill	2 Wordpress, Kali Forms — Contact Form & Drag-and-drop Builder	2026-04-16	4.3 Medium
The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
CVE-2026-23542	2 Themegoods, Wordpress	2 Grand Restaurant, Wordpress	2026-04-16	9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.
CVE-2026-23544	2 Codetipi, Wordpress	2 Valenti, Wordpress	2026-04-16	8.8 High
Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5.
CVE-2026-25307	2 8theme, Wordpress	2 Xstore Core, Wordpress	2026-04-16	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through < 5.7.

« first previous Page 431 of 607. next last »