Filtered by vendor Wordpress
Subscriptions
Total
11005 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-68003 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 6.5 Medium |
| Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10. | ||||
| CVE-2025-67957 | 2 Tangiblewp, Wordpress | 2 Listivo, Wordpress | 2026-01-29 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. | ||||
| CVE-2025-67956 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration | 2026-01-29 | 8.2 High |
| Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6. | ||||
| CVE-2025-67955 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. | ||||
| CVE-2025-67954 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 6.5 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data.This issue affects Salon booking system: from n/a through <= 10.30.3. | ||||
| CVE-2025-67953 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 8.1 High |
| Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44. | ||||
| CVE-2025-64258 | 2 Wordpress, Wpwebelite | 2 Wordpress, Follow My Blog Post | 2026-01-29 | 7.5 High |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in wpweb Follow My Blog Post follow-my-blog-post allows Retrieve Embedded Sensitive Data.This issue affects Follow My Blog Post: from n/a through <= 2.3.9. | ||||
| CVE-2025-66532 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Powerlift, Powerlift, Wordpress | 2026-01-29 | 8.8 High |
| Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1. | ||||
| CVE-2025-67515 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Wilmer, Wilmer, Wordpress | 2026-01-29 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5. | ||||
| CVE-2025-69072 | 2 Ancorathemes, Wordpress | 2 Prider, Wordpress | 2026-01-29 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1. | ||||
| CVE-2025-39490 | 2 Qodeinteractive, Wordpress | 2 Backpack Traveler, Wordpress | 2026-01-29 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler allows PHP Local File Inclusion. This issue affects Backpack Traveler: from n/a through 2.7. | ||||
| CVE-2025-69092 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2026-01-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3. | ||||
| CVE-2025-69034 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Lekker, Lekker, Wordpress | 2026-01-29 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8. | ||||
| CVE-2025-8072 | 2 Nebojsadabic, Wordpress | 2 Target Video Easy Publish, Wordpress | 2026-01-29 | 6.4 Medium |
| The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1398 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 4.3 Medium |
| The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1391 | 1 Wordpress | 1 Wordpress | 2026-01-29 | 5.3 Medium |
| The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1389 | 2 Bplugins, Wordpress | 2 Document Embedder, Wordpress | 2026-01-29 | 5.3 Medium |
| The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter. | ||||
| CVE-2026-1381 | 3 Woocommerce, Wordpress, Wpcodefactory | 3 Woocommerce, Wordpress, Order Minimum/maximum Amount Limits For Woocommerce | 2026-01-29 | 4.4 Medium |
| The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-1054 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-01-29 | 5.3 Medium |
| The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. | ||||
| CVE-2026-1083 | 2 Codepeople, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-01-29 | 4.4 Medium |
| The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the 'Min length/characters' and 'Max length/characters' field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||