Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11882 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-53247	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpinterface BlogMarks blogmarks allows PHP Local File Inclusion.This issue affects BlogMarks: from n/a through <= 1.0.8.
CVE-2025-53248	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine eximious-magazine allows PHP Local File Inclusion.This issue affects Magazine: from n/a through <= 1.2.2.
CVE-2025-53264	1 Wordpress	1 Wordpress	2026-04-15	N/A
Cross-Site Request Forgery (CSRF) vulnerability in Konrád Koller ONet Regenerate Thumbnails onet-regenerate-thumbnails allows Cross Site Request Forgery.This issue affects ONet Regenerate Thumbnails: from n/a through <= 1.5.
CVE-2025-53266	1 Wordpress	1 Wordpress	2026-04-15	N/A
Missing Authorization vulnerability in EdwardBock Cron Logger cron-logger allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cron Logger: from n/a through <= 1.3.0.
CVE-2025-53290	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap wp-visual-sitemap allows Stored XSS.This issue affects WP Visual Sitemap: from n/a through <= 1.0.2.
CVE-2024-10552	1 Wordpress	1 Wordpress	2026-04-15	6.4 Medium
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_key’ and 'api_secret' parameters in all versions up to, and including, 3.14.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 3.14.25.
CVE-2025-53293	1 Wordpress	1 Wordpress	2026-04-15	N/A
Missing Authorization vulnerability in Morten Dalgaard Johansen Dashboard Widget Sidebar dashboard-widget-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Widget Sidebar: from n/a through <= 1.2.3.
CVE-2025-53298	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector plugin-inspector allows Path Traversal.This issue affects Plugin Inspector: from n/a through <= 1.5.
CVE-2025-53299	1 Wordpress	1 Wordpress	2026-04-15	N/A
Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer tmm_content_composer allows Object Injection.This issue affects ThemeMakers Visual Content Composer: from n/a through <= 1.5.8.
CVE-2024-12023	1 Wordpress	1 Wordpress	2026-04-15	6.5 Medium
The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.
CVE-2025-53301	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content theme-junkie-team-content allows DOM-Based XSS.This issue affects Theme Junkie Team Content: from n/a through <= 0.1.1.
CVE-2025-13835	2 Tychesoftwares, Wordpress	2 Arconix Shortcodes, Wordpress	2026-04-15	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes arconix-shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through <= 2.1.20.
CVE-2025-53303	2 Thememove, Wordpress	2 Core, Wordpress	2026-04-15	N/A
Deserialization of Untrusted Data vulnerability in ThemeMove ThemeMove Core thememove-core allows Object Injection.This issue affects ThemeMove Core: from n/a through <= 1.4.2.
CVE-2025-53311	2 Amol Nirmala Waman, Wordpress	2 Navayan Subscribe Plugin, Wordpress	2026-04-15	N/A
Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe navayan-subscribe allows Stored XSS.This issue affects Navayan Subscribe: from n/a through <= 1.13.
CVE-2025-53315	2 Alanft, Wordpress	2 Relocate-upload, Wordpress	2026-04-15	N/A
Cross-Site Request Forgery (CSRF) vulnerability in alanft Relocate Upload relocate-upload allows Stored XSS.This issue affects Relocate Upload: from n/a through <= 0.24.1.
CVE-2025-53317	1 Wordpress	1 Wordpress	2026-04-15	N/A
Cross-Site Request Forgery (CSRF) vulnerability in AcmeeDesign WPShapere - WordPress admin theme wpshapere-lite allows Stored XSS.This issue affects WPShapere - WordPress admin theme: from n/a through <= 1.4.1.
CVE-2025-53321	1 Wordpress	1 Wordpress	2026-04-15	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raise The Money Raise The Money raise-the-money allows DOM-Based XSS.This issue affects Raise The Money: from n/a through <= 5.2.
CVE-2025-53341	2 Themovation, Wordpress	2 Stratus, Wordpress	2026-04-15	N/A
Missing Authorization vulnerability in Themovation App, SaaS & Software Startup Tech Theme - Stratus stratusx allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App, SaaS & Software Startup Tech Theme - Stratus: from n/a through <= 4.2.5.
CVE-2025-53347	2 Laborator, Wordpress	2 Kalium, Wordpress	2026-04-15	N/A
Cross-Site Request Forgery (CSRF) vulnerability in Laborator Kalium kalium allows Cross Site Request Forgery.This issue affects Kalium: from n/a through <= 3.18.3.
CVE-2024-30421	2 Pixelite, Wordpress	2 Events Manager, Wordpress	2026-04-15	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.7.1.

« first previous Page 357 of 595. next last »