Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
12074 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-45215 | 2 Saad Iqbal, Wordpress | 2 Wp Easypay, Wordpress | 2026-05-12 | 5.3 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0. | ||||
| CVE-2026-39432 | 2 Arraytics, Wordpress | 2 Timetics, Wordpress | 2026-05-12 | 8.2 High |
| Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Timetics: from n/a through 1.0.53. | ||||
| CVE-2026-4663 | 2 Ipospays, Wordpress | 2 Ipospays Gateways Wc, Wordpress | 2026-05-12 | 5.3 Medium |
| The iPOSpays Gateways WC plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.3.7. This is due to the plugin exposing a REST API endpoint /wp-json/ipospays/v1/save_settings with 'permission_callback' set to '__return_true', which allows unauthenticated access without any capability checks or nonce verification. This makes it possible for unauthenticated attackers to update plugin settings, specifically allowing them to overwrite critical payment gateway settings including live API keys, secret keys, and payment tokens stored in the 'woocommerce_ipospays_settings' option. | ||||
| CVE-2026-4859 | 2 Softpulse Infotech, Wordpress | 2 Sp Blog Designer, Wordpress | 2026-05-12 | 6.4 Medium |
| The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-39585 | 2 Arraytics, Wordpress | 2 Booktics, Wordpress | 2026-05-12 | 5.3 Medium |
| Missing Authorization vulnerability in Arraytics Booktics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booktics: from n/a through 1.0.16. | ||||
| CVE-2021-47924 | 2 Etoilewebdesign, Wordpress | 2 Ultimate Product Catalog, Wordpress | 2026-05-12 | 6.4 Medium |
| Ultimate Product Catalog 5.8.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the price parameter. Attackers can submit POST requests to post.php with HTML/JavaScript payloads in the price field to execute arbitrary code when the product is viewed. | ||||
| CVE-2022-50947 | 2 Radiustheme, Wordpress | 2 Testimonial Slider And Showcase, Wordpress | 2026-05-12 | 6.4 Medium |
| WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking. | ||||
| CVE-2026-7652 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-05-12 | 5.3 Medium |
| The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected. | ||||
| CVE-2022-50949 | 2 A-j-evolution, Wordpress | 2 Videos Sync Pdf, Wordpress | 2026-05-12 | 6.4 Medium |
| WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized mov, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers through the plugin options panel to execute arbitrary JavaScript when administrators view or edit video settings. | ||||
| CVE-2026-6433 | 2 Flippercode, Wordpress | 2 Custom Css-js-php, Wordpress | 2026-05-11 | 7.3 High |
| The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server. | ||||
| CVE-2026-8198 | 2 Logtivity, Wordpress | 2 Activity Logs, User Activity Tracking, Multisite Activity Log From Logtivity, Wordpress | 2026-05-11 | 5.3 Medium |
| The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used to impersonate the site in API calls to the Logtivity service. | ||||
| CVE-2022-50948 | 2 Motopress, Wordpress | 2 Hotel Booking Lite, Wordpress | 2026-05-11 | 6.4 Medium |
| Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type fields. Attackers can inject script tags through the title and excerpt parameters when creating accommodation types, which execute in the browser when visitors access the accommodations page. | ||||
| CVE-2022-50958 | 3 Automattic, Jetpack, Wordpress | 3 Jetpack Boost, Jetpack, Wordpress | 2026-05-11 | 6.1 Medium |
| WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the post_id parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the post_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2022-50959 | 2 Wordpress, Wpdevart | 2 Wordpress, Contact Form Builder | 2026-05-11 | 6.1 Medium |
| WordPress Contact Form Builder 1.6.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting the form_id parameter. Attackers can craft malicious URLs to code_generator.php with script payloads in the form_id parameter to execute arbitrary JavaScript in victim browsers. | ||||
| CVE-2021-47926 | 2 Form2email, Wordpress | 2 Contact Form To Email, Wordpress | 2026-05-11 | 6.4 Medium |
| Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name field. Attackers can craft form names containing JavaScript code that executes when other logged-in users access the form management page, enabling session hijacking or credential theft. | ||||
| CVE-2021-47932 | 2 Thecartpress, Wordpress | 2 Thecartpress, Wordpress | 2026-05-11 | 9.8 Critical |
| WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication. | ||||
| CVE-2026-4935 | 2 Ottokit, Wordpress | 2 All-in-one Automation Platform, Wordpress | 2026-05-11 | 8.6 High |
| The OttoKit: All-in-One Automation Platform WordPress plugin before 1.1.23 does not properly sanitize user input before using it in a SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. | ||||
| CVE-2022-50956 | 2 Amministrazione Aperta Project, Wordpress | 2 Amministrazione Aperta, Wordpress | 2026-05-11 | 6.2 Medium |
| WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter in dispatcher.php to include and read sensitive files accessible to the web server. | ||||
| CVE-2022-50946 | 2 Netroics, Wordpress | 2 Netroics Blog Posts Grid, Wordpress | 2026-05-11 | 6.4 Medium |
| WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking. | ||||
| CVE-2022-50945 | 2 3dady, Wordpress | 2 Real-time Web Stats, Wordpress | 2026-05-11 | 6.4 Medium |
| WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed. | ||||