Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
13590 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-49105 | 2 Crmperks, Wordpress | 2 Wp Zendesk For Contact Form 7, Wpforms, Elementor, Formidable And Ninja Forms, Wordpress | 2026-06-16 | 9.8 Critical |
| Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||||
| CVE-2026-52693 | 2 Implecode, Wordpress | 2 Ecommerce Product Catalog, Wordpress | 2026-06-16 | 9.3 Critical |
| Unauthenticated SQL Injection in eCommerce Product Catalog <= 3.5.5 versions. | ||||
| CVE-2026-40767 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in wpForo Forum < 3.0.2 versions. | ||||
| CVE-2026-48965 | 2 Watchful, Wordpress | 2 Xcloner, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions. | ||||
| CVE-2026-49764 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-06-16 | 9.8 Critical |
| Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions. | ||||
| CVE-2026-49773 | 2 Foliovision, Wordpress | 2 Fv Flowplayer Video Player, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions. | ||||
| CVE-2019-25746 | 2 Slicedinvoices, Wordpress | 2 Sliced Invoices, Wordpress | 2026-06-16 | 7.1 High |
| WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data. | ||||
| CVE-2026-34902 | 2 Wcproducttable, Wordpress | 2 Woocommerce Product Table Lite, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions. | ||||
| CVE-2026-39471 | 2 Shortpixel, Wordpress | 2 Shortpixel Image Optimizer, Wordpress | 2026-06-16 | 7.2 High |
| Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions. | ||||
| CVE-2026-39489 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-06-16 | 4.4 Medium |
| Author Arbitrary File Download in Download Monitor <= 5.1.9 versions. | ||||
| CVE-2026-39514 | 2 Cozmoslabs, Wordpress | 2 Paid Member Subscriptions, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions. | ||||
| CVE-2026-39579 | 2 Bplugins, Wordpress | 2 B Blocks, Wordpress | 2026-06-16 | 8.8 High |
| Contributor Privilege Escalation in B Blocks <= 2.0.31 versions. | ||||
| CVE-2026-40727 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-06-16 | 7.7 High |
| Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions. | ||||
| CVE-2026-40774 | 2 Saasproject, Wordpress | 2 Booking Package, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions. | ||||
| CVE-2026-48883 | 2 Wordpress, Wpclever | 2 Wordpress, Wpc Product Bundles For Woocommerce | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions. | ||||
| CVE-2026-52704 | 2 Edgarrojas, Wordpress | 2 Woocommerce Pdf Invoice Builder, Wordpress | 2026-06-16 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8. | ||||
| CVE-2026-48874 | 2 Gamipress, Wordpress | 2 Gamipress, Wordpress | 2026-06-16 | 8.5 High |
| Subscriber SQL Injection in GamiPress <= 7.8.7 versions. | ||||
| CVE-2026-3297 | 2 Softaculous, Wordpress | 2 Page Builder: Pagelayer – Drag And Drop Website Builder, Wordpress | 2026-06-15 | 6.4 Medium |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1291 | 2 Tigroumeow, Wordpress | 2 Meow Gallery, Wordpress | 2026-06-15 | 4.3 Medium |
| The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own. | ||||
| CVE-2026-9109 | 2 John-dagelmore, Wordpress | 2 Gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites, Wordpress | 2026-06-15 | 7.2 High |
| The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition. | ||||