Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
13693 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11438 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The StreamWeasels Online Status Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sw-status-bar' shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11435 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The salavat counter Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-11432 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The SuevaFree Essential Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'counter' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11767 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-11428 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Lazy load videos and sticky control plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lazy-load-videos-and-sticky-control' shortcode in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-62007 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in bPlugins Voice Feedback voice-feedback allows Privilege Escalation.This issue affects Voice Feedback: from n/a through <= 1.0.3. | ||||
| CVE-2025-9209 | 2 Magnigenie, Wordpress | 2 Restropress, Wordpress | 2026-04-15 | 9.8 Critical |
| The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. This is due to the plugin exposing user private tokens and API data via the /wp-json/wp/v2/users REST API endpoint. This makes it possible for unauthenticated attackers to forge JWT tokens for other users, including administrators, and authenticate as them. | ||||
| CVE-2025-60045 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2026-04-15 | 7.5 High |
| Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through <= 2.1.11. | ||||
| CVE-2025-62024 | 2 Jonathanjernigan, Wordpress | 2 Pie Calendar, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jonathan Jernigan Pie Calendar pie-calendar.This issue affects Pie Calendar: from n/a through <= 1.2.9. | ||||
| CVE-2025-62027 | 2 Stellarwp, Wordpress | 2 Event Tickets, Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in StellarWP Event Tickets event-tickets.This issue affects Event Tickets: from n/a through <= 5.26.3. | ||||
| CVE-2025-62029 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themesion Grevo grevo.This issue affects Grevo: from n/a through <= 2.4. | ||||
| CVE-2025-62042 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post event-post.This issue affects Event post: from n/a through <= 5.10.3. | ||||
| CVE-2025-5983 | 2 Msykes, Wordpress | 2 Meta Tag Manager, Wordpress | 2026-04-15 | 6.5 Medium |
| The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags. | ||||
| CVE-2025-60087 | 2 Nenad-obradovic, Wordpress | 2 Extensive Vc Addons For Wpbakery Page Builder, Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1. | ||||
| CVE-2025-62058 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.This issue affects Houzez Theme - Functionality: from n/a through < 4.2.0. | ||||
| CVE-2025-62063 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Travel WP Travel Gutenberg Blocks wp-travel-blocks.This issue affects WP Travel Gutenberg Blocks: from n/a through <= 3.9.2. | ||||
| CVE-2025-69077 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion.This issue affects Hobo: from n/a through <= 1.0.10. | ||||
| CVE-2024-3671 | 2 Baden03, Wordpress | 2 Print-o-matic, Wordpress | 2026-04-15 | 6.4 Medium |
| The Print-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'print-me' shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'tag'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-60221 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Object Injection.This issue affects Captivate Sync: from n/a through <= 3.0.3. | ||||
| CVE-2025-59550 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Xcare xcare allows PHP Local File Inclusion.This issue affects Xcare: from n/a through < 6.5. | ||||