Filtered by vendor Wordpress
Subscriptions
Total
11973 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2723 | 2 Phy9pas, Wordpress | 2 Post Snippits, Wordpress | 2026-03-25 | 6.1 Medium |
| The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1397 | 2 Peacefulqode, Wordpress | 2 Pq Addons – Creative Elementor Widgets, Wordpress | 2026-03-25 | 6.4 Medium |
| The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-2837 | 2 Systemsrtk, Wordpress | 2 Ricerca – Advanced Search, Wordpress | 2026-03-25 | 4.4 Medium |
| The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2121 | 2 Weavertheme, Wordpress | 2 Weaver Show Posts, Wordpress | 2026-03-25 | 4.4 Medium |
| The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This primarily affects multisite installations where Administrators do not have the unfiltered_html capability. | ||||
| CVE-2026-1278 | 2 Ketanmujumdar, Wordpress | 2 Mandatory Field, Wordpress | 2026-03-25 | 4.4 Medium |
| The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-4004 | 2 Eoxia, Wordpress | 2 Task Manager, Wordpress | 2026-03-25 | 6.5 Medium |
| The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'. | ||||
| CVE-2026-2501 | 2 Waianaeboy702, Wordpress | 2 Ed's Social Share, Wordpress | 2026-03-25 | 6.4 Medium |
| The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1914 | 2 Jeremyshapiro, Wordpress | 2 Fusedesk, Wordpress | 2026-03-25 | 6.4 Medium |
| The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4022 | 2 Creativedev4, Wordpress | 2 Show Posts List – Easy Designs, Filters And More, Wordpress | 2026-03-25 | 6.4 Medium |
| The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4662 | 2 Crocoblock, Wordpress | 2 Jetengine, Wordpress | 2026-03-24 | 7.5 High |
| The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query. | ||||
| CVE-2026-4306 | 2 Wordpress, Wpjobportal | 2 Wordpress, Wp Job Portal – Ai-powered Recruitment System For Company Or Job Board Website | 2026-03-24 | 7.5 High |
| The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-32583 | 2 Webnus, Wordpress | 2 Modern Events Calendar, Wordpress | 2026-03-24 | 5.3 Medium |
| Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0. | ||||
| CVE-2026-22182 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 7.5 High |
| wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting. | ||||
| CVE-2026-22183 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 6.1 Medium |
| wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping. | ||||
| CVE-2026-22193 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 8.1 High |
| wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information. | ||||
| CVE-2026-22201 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 5.3 Medium |
| wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls. | ||||
| CVE-2026-22202 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 8.1 High |
| wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection. | ||||
| CVE-2026-22203 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 4.9 Medium |
| wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories. | ||||
| CVE-2026-22204 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 3.7 Low |
| wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers. | ||||
| CVE-2026-22210 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 4.4 Medium |
| wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments. | ||||