Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
10909 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1948 | 2 Webaways, Wordpress | 2 Nex-forms-ultimate-forms-plugin, Wordpress | 2026-03-16 | 4.3 Medium |
| The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license. | ||||
| CVE-2026-32462 | 2 Liton Arefin, Wordpress | 2 Master Addons For Elementor, Wordpress | 2026-03-16 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3. | ||||
| CVE-2026-32398 | 2 Subratamal, Wordpress | 2 Terawallet For Woocommerce, Wordpress | 2026-03-16 | 6.5 Medium |
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Subrata Mal TeraWallet – For WooCommerce woo-wallet allows Leveraging Race Conditions.This issue affects TeraWallet – For WooCommerce: from n/a through <= 1.5.15. | ||||
| CVE-2026-1883 | 2 Wickedplugins, Wordpress | 2 Wicked Folders – Folder Organizer For Pages, Posts, And Custom Post Types, Wordpress | 2026-03-16 | 4.3 Medium |
| The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users. | ||||
| CVE-2026-1947 | 2 Webaways, Wordpress | 2 Nex-forms-ultimate-forms-plugin, Wordpress | 2026-03-16 | 7.5 High |
| The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter. | ||||
| CVE-2026-2233 | 2 Wedevs, Wordpress | 2 User Frontend Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration, Wordpress | 2026-03-16 | 5.3 Medium |
| The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter. | ||||
| CVE-2026-32394 | 2 Publishpress, Wordpress | 2 Publishpress Capabilities, Wordpress | 2026-03-16 | 4.3 Medium |
| Missing Authorization vulnerability in PublishPress PublishPress Capabilities capability-manager-enhanced allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Capabilities: from n/a through <= 2.31.0. | ||||
| CVE-2026-32392 | 2 Creatives Planet, Wordpress | 2 Greenly, Wordpress | 2026-03-16 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1. | ||||
| CVE-2026-32390 | 2 Linethemes, Wordpress | 2 Nanosoft, Wordpress | 2026-03-16 | 5.4 Medium |
| Missing Authorization vulnerability in linethemes Nanosoft nanosoft allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nanosoft: from n/a through < 1.3.2. | ||||
| CVE-2026-32385 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-03-16 | 5.4 Medium |
| Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6. | ||||
| CVE-2026-32373 | 2 Cozyvision, Wordpress | 2 Sms Alert Order Notifications, Wordpress | 2026-03-16 | 5.4 Medium |
| Missing Authorization vulnerability in Cozy Vision SMS Alert Order Notifications sms-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Alert Order Notifications: from n/a through <= 3.9.0. | ||||
| CVE-2026-32361 | 2 Marketing Fire, Wordpress | 2 Editorial Calendar, Wordpress | 2026-03-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows DOM-Based XSS.This issue affects Editorial Calendar: from n/a through <= 3.9.0. | ||||
| CVE-2026-22199 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 5.3 Medium |
| wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows attackers to manipulate comment votes by obtaining fresh nonces and bypassing rate limiting through client-controlled headers. Attackers can vary User-Agent headers to reset rate limits, request nonces from the unauthenticated wpdGetNonce endpoint, and vote multiple times using IP rotation or reverse proxy header manipulation. | ||||
| CVE-2026-22201 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 5.3 Medium |
| wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls. | ||||
| CVE-2026-22215 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 4.3 Medium |
| wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler. | ||||
| CVE-2026-22192 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 6.1 Medium |
| wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler without proper sanitization. | ||||
| CVE-2026-22193 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 8.1 High |
| wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information. | ||||
| CVE-2026-22202 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 8.1 High |
| wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection. | ||||
| CVE-2026-22182 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-16 | 7.5 High |
| wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting. | ||||
| CVE-2026-32328 | 2 Shufflehound, Wordpress | 2 Lemmony, Wordpress | 2026-03-16 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in shufflehound Lemmony lemmony allows Cross Site Request Forgery.This issue affects Lemmony: from n/a through < 1.7.1. | ||||