Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
13486 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4110 | 2 Ultimate-woocommerce-auction-pro, Wordpress | 2 Ultimate-woocommerce-auction-pro, Wordpress | 2026-06-24 | 6.1 Medium |
| The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2026-4259 | 2 Ultimate-woocommerce-auction-pro, Wordpress | 2 Ultimate-woocommerce-auction-pro, Wordpress | 2026-06-24 | 7.1 High |
| The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2026-7859 | 2 Motors, Wordpress | 2 Motors, Wordpress | 2026-06-24 | 5.3 Medium |
| The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices. | ||||
| CVE-2026-8157 | 2 Vitepos, Wordpress | 2 Vitepos, Wordpress | 2026-06-24 | 8.8 High |
| The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator. | ||||
| CVE-2026-12242 | 2 Adegans, Wordpress | 2 Adrotate Banner Manager, Wordpress | 2026-06-24 | 8.8 High |
| The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings. | ||||
| CVE-2026-10779 | 2 Techlabpro1, Wordpress | 2 Classified Listing – Ai-powered Classified Ads & Business Directory Plugin, Wordpress | 2026-06-24 | 4.3 Medium |
| The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own. | ||||
| CVE-2026-8713 | 2 Themefusion, Wordpress | 2 Fusion Builder, Wordpress | 2026-06-24 | 9.1 Critical |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction. | ||||
| CVE-2026-10034 | 2 Legalweb, Wordpress | 2 Wp Dsgvo Tools, Wordpress | 2026-06-24 | 5.3 Medium |
| The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an arbitrary victim email address and trigger immediate SAR processing via the process_now and is_ajax parameters, receiving tokenized download links (zip_link, pdf_link) in the HTTP response that expose the victim's personal data — including WordPress account details, comment author names, email addresses, IP addresses, and comment content — without any proof of ownership. The nonce used for the CSRF check is publicly rendered by the SAR shortcode form and is shared across all anonymous visitors, meaning any unauthenticated attacker can trivially obtain a valid nonce and bypass this gate entirely. | ||||
| CVE-2026-12430 | 2 Creativethemes, Wordpress | 2 Blocksy Companion, Wordpress | 2026-06-24 | 4.4 Medium |
| The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-11551 | 2 Wordpress, Wpmudev | 2 Wordpress, Branda White Label Wordpress Custom Login Page Customizer | 2026-06-24 | 9.8 Critical |
| The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2020-37255 | 2 Wordpress, Wptimecapsule | 2 Wordpress, Wp Time Capsule | 2026-06-24 | 7.5 High |
| WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the IWP_JSON_PREFIX header. Attackers can exploit this flaw to obtain valid administrator session cookies and access the WordPress dashboard without providing credentials. | ||||
| CVE-2026-6858 | 2 Transbank, Wordpress | 2 Transbank Webpay Rest, Wordpress | 2026-06-24 | 7.1 High |
| The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator | ||||
| CVE-2026-7761 | 2 Ultimatemember, Wordpress | 2 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, Wordpress | 2026-06-24 | 8.8 High |
| The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (1) an MD5 hash fallback in get_directory_by_hash() that allows any post to be used as a member directory by computing SUBSTRING(MD5(post_id), 11, 5), (2) a strstr() parsing logic flaw in post_data() that allows bypassing WordPress's protected meta key restrictions by placing '_um_' anywhere in the meta key name rather than at the start, and (3) missing field name validation in build_user_card_data() that allows arbitrary field names including 'password_reset_link' to be passed to um_filtered_value(). This makes it possible for authenticated attackers with Contributor-level access and above to create a malicious post via XMLRPC with crafted meta fields, use the MD5 fallback to point the member directory AJAX handler to their post, inject 'password_reset_link' into the tagline_fields configuration, and leak live password reset URLs for all users in the member directory response, including administrators. | ||||
| CVE-2026-8690 | 2 Rentmy, Wordpress | 2 Rentmy Real-time Rental Management Plugin, Wordpress | 2026-06-24 | 5.3 Medium |
| The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to read, create, update, and delete event records stored in the rentmy_events WordPress option, as well as overwrite the rentmy_locationId option. | ||||
| CVE-2026-12238 | 2 Wordpress, Wpgmaps | 2 Wordpress, Wp Go Maps – Google Map, Openstreetmap, Leaflet Map | 2026-06-24 | 5.3 Medium |
| The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request. | ||||
| CVE-2026-9616 | 2 Verenigingvanregistrars, Wordpress | 2 Generate Security.txt, Wordpress | 2026-06-24 | 4.3 Medium |
| The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions. | ||||
| CVE-2026-12095 | 2 Bytuncay, Wordpress | 2 Kargo Takip, Wordpress | 2026-06-24 | 7.2 High |
| The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The script echoes internal API response data (specifically the value of any 'auth' key in a JSON response body) verbatim back to the attacker's browser, enabling direct exfiltration of responses from internal services such as cloud instance metadata endpoints. | ||||
| CVE-2026-7617 | 2 Secufor, Wordpress | 2 Secufor Oauth, Wordpress | 2026-06-24 | 5.3 Medium |
| The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to disconnect the WordPress site from its linked Secufor account by clearing the plugin's stored login token and user login configuration. | ||||
| CVE-2026-9175 | 2 Ajitdas, Wordpress | 2 Devs Accounting – Simple Accounting And Invoicing Solution, Wordpress | 2026-06-24 | 5.3 Medium |
| The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_account() REST API callback being registered with a permission_callback that unconditionally returns true, providing no authentication or authorization checks on the /devs-accounting/v1/get-account/<id> endpoint. This makes it possible for unauthenticated attackers to read arbitrary private financial account records (including account name, bank name, and opening balance) by enumerating the numeric account ID, resulting in sensitive information disclosure. | ||||
| CVE-2026-10091 | 2 Cgarvey, Wordpress | 2 Email Javascript Cloak, Wordpress | 2026-06-24 | 7.2 High |
| The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||