Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
4695 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6987 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 6.4 Medium |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8103 | 2 Etruel, Wordpress | 2 Wpematico Rss Feed Fetcher, Wordpress | 2025-07-29 | 4.3 Medium |
| The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.7. This is due to missing nonce validation in the handle_feedback_submission() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-6989 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 8.1 High |
| The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server. | ||||
| CVE-2025-6895 | 2 Melapress, Wordpress | 2 Melapress Login Security, Wordpress | 2025-07-29 | 9.8 Critical |
| The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user. | ||||
| CVE-2025-8097 | 2 Wordpress, Xtemos | 2 Wordpress, Woodmart | 2025-07-29 | 5.3 Medium |
| The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products. | ||||
| CVE-2025-6991 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 7.5 High |
| The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'TH_LatestPosts4` widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | ||||
| CVE-2025-5529 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 6.4 Medium |
| The Educenter theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Circle Counter Block in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7501 | 2 Wonderplugin, Wordpress | 2 Wonder Slider Lite, Wordpress | 2025-07-29 | 6.4 Medium |
| The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image title and description DOM in all versions up to, and including, 14.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7811 | 2 Streamweasels, Wordpress | 2 Twitch Integration, Wordpress | 2025-07-29 | 6.4 Medium |
| The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7810 | 2 Streamweasels, Wordpress | 2 Kick Integration, Wordpress | 2025-07-29 | 5.4 Medium |
| The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4566 | 2 Elementor, Wordpress | 2 Elementor Website Builder, Wordpress | 2025-07-29 | 6.4 Medium |
| The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This attack affects only Chrome/Edge browsers | ||||
| CVE-2025-8104 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 4.3 Medium |
| The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently install one of the several whitelisted plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-3075 | 2 Elementor, Wordpress | 6 Elementor, Elementor Page Builder, Elementor Website Builder and 3 more | 2025-07-29 | 6.4 Medium |
| The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled. | ||||
| CVE-2025-4370 | 2 Brizy, Wordpress | 3 Brizy, Brizy-page Builder, Wordpress | 2025-07-29 | 5.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | ||||
| CVE-2025-6495 | 2 Bricksable, Wordpress | 2 Bricksable For Bricks Builder, Wordpress | 2025-07-29 | 7.5 High |
| The Bricks theme for WordPress is vulnerable to blind SQL Injection via the ‘p’ parameter in all versions up to, and including, 1.12.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-7809 | 2 Streamweasels, Wordpress | 2 Twitch Integration, Wordpress | 2025-07-29 | 6.4 Medium |
| The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2012-10020 | 1 Wordpress | 1 Wordpress | 2025-07-29 | 9.8 Critical |
| The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2016-10033 | 3 Joomla, Phpmailer Project, Wordpress | 3 Joomla\!, Phpmailer, Wordpress | 2025-07-28 | 9.8 Critical |
| The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. | ||||
| CVE-2025-5835 | 2 Themeum, Wordpress | 2 Droip, Wordpress | 2025-07-28 | 8.8 High |
| The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. | ||||
| CVE-2025-5831 | 2 Themeum, Wordpress | 2 Droip, Wordpress | 2025-07-28 | 8.8 High |
| The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||