Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 8221 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-12885	2 Awsm, Wordpress	2 Embed Any Document, Wordpress	2025-12-18	6.4 Medium
The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-67573	1 Wordpress	1 Wordpress	2025-12-17	5.3 Medium
Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6.
CVE-2025-66115	1 Wordpress	1 Wordpress	2025-12-17	6.6 Medium
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4.
CVE-2025-64248	2 Emarketdesign, Wordpress	2 Request A Quote, Wordpress	2025-12-17	4.3 Medium
Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3.
CVE-2025-67983	2 Osama.esh, Wordpress	2 Wp Visitor Statistics (real Time Traffic), Wordpress	2025-12-17	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.
CVE-2025-64253	1 Wordpress	2 Health Check & Troubleshooting, Wordpress	2025-12-17	4.9 Medium
Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1.
CVE-2025-68082	1 Wordpress	1 Wordpress	2025-12-17	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.
CVE-2025-67999	2 Stefanno Lissa, Wordpress	2 Newsletter, Wordpress	2025-12-17	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9.
CVE-2025-67989	1 Wordpress	1 Wordpress	2025-12-17	5.4 Medium
Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.
CVE-2025-67976	1 Wordpress	1 Wordpress	2025-12-17	6.5 Medium
Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5.
CVE-2025-66132	1 Wordpress	1 Wordpress	2025-12-17	6.5 Medium
Authorization Bypass Through User-Controlled Key vulnerability in FAPI Business s.r.o. FAPI Member fapi-member allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAPI Member: from n/a through <= 2.2.26.
CVE-2025-64631	2 Wclovers, Wordpress	2 Wcfm Marketplace, Wordpress	2025-12-17	5 Medium
Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.6.15.
CVE-2025-64241	1 Wordpress	1 Wordpress	2025-12-17	4.3 Medium
Missing Authorization vulnerability in Imtiaz Rayhan WP Coupons and Deals wp-coupons-and-deals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Coupons and Deals: from n/a through <= 3.2.4.
CVE-2025-12189	2 Breadbutter, Wordpress	2 Bread And Butter, Wordpress	2025-12-17	4.3 Medium
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.10.1321. This is due to missing or incorrect nonce validation on the uploadImage() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2025-68084	2 Nitesh Singh, Wordpress	2 Ultimate Wordpress Auction Plugin, Wordpress	2025-12-17	5.4 Medium
Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.2.
CVE-2025-68078	2 Themenectar, Wordpress	2 Salient Core, Wordpress	2025-12-17	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.
CVE-2025-68070	2 Vektor, Wordpress	2 Vk Google Job Posting Manager, Wordpress	2025-12-17	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.21.
CVE-2025-67929	2 Templateinvaders, Wordpress	2 Ti Woocommerce Wishlist, Wordpress	2025-12-17	5.3 Medium
Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.
CVE-2025-66133	2 Wordpress, Wp Legal Pages	2 Wordpress, Wp Cookie Notice	2025-12-17	5.3 Medium
Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.7.
CVE-2025-64635	1 Wordpress	1 Wordpress	2025-12-17	5.4 Medium
Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0.

« first previous Page 14 of 412. next last »