Filtered by vendor Wordpress
Subscriptions
Total
12019 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1844 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The RevivePress – Keep your Old Content Evergreen plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the import_data and copy_data functions in all versions up to, and including, 1.5.6. This makes it possible for authenticated attackers, with subscriber-level access or higher, to overwrite plugin settings and view them. | ||||
| CVE-2024-13635 | 2 Vektor-inc, Wordpress | 2 Vk Blocks, Wordpress | 2026-04-15 | 4.3 Medium |
| The VK Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.94.2.2 via the page content block. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of private posts and pages. | ||||
| CVE-2024-11363 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Same but Different – Related Posts by Taxonomy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-15030 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | ||||
| CVE-2025-53231 | 2 Wordpress, Wpdevstudio | 2 Wordpress, Easy Taxonomy Images | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through <= 1.0.1. | ||||
| CVE-2024-12098 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The ARS Affiliate Page Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'utm_keyword' parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-12159 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1 due to the print_php_information.php being publicly accessible. This makes it possible for unauthenticated attackers to extract sensitive configuration data that can be leveraged in another attack. | ||||
| CVE-2024-12738 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several user meta parameters in all versions up to, and including, 3.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks a link to show user meta. | ||||
| CVE-2023-47232 | 2 Mojofywp, Wordpress | 2 Wp Affiliate Disclosure, Wordpress | 2026-04-15 | 4.3 Medium |
| Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6. | ||||
| CVE-2024-8915 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Category Icon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-14891 | 2 Ivole, Wordpress | 2 Customer Reviews For Woocommerce, Wordpress | 2026-04-15 | 6.4 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtained through placing an order. | ||||
| CVE-2025-0863 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'idx_frame' shortcode in all versions up to, and including, 3.14.27 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9610 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Language Switcher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.7.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-14875 | 2 Hblpay, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2026-04-15 | 6.1 Medium |
| The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘cusdata’ parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-10706 | 2 Cridio Studio, Wordpress | 2 Classifiedpro, Wordpress | 2026-04-15 | 8.8 High |
| The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin. | ||||
| CVE-2025-69093 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopMagic: from n/a through <= 4.7.2. | ||||
| CVE-2025-9501 | 1 Wordpress | 2 W3 Total Cache, Wordpress | 2026-04-15 | 9 Critical |
| The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post. | ||||
| CVE-2025-11970 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the emplibot_call_webhook_with_error() and emplibot_process_zip_data() functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-10786 | 2 10up, Wordpress | 2 Simple Local Avatars, Wordpress | 2026-04-15 | 4.3 Medium |
| The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches. | ||||
| CVE-2025-13094 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||