Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 7788 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-63036	1 Wordpress	1 Wordpress	2025-12-10	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.
CVE-2025-63035	1 Wordpress	1 Wordpress	2025-12-10	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4.
CVE-2025-63034	1 Wordpress	1 Wordpress	2025-12-10	5.4 Medium
Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page View Count: from n/a through <= 2.8.7.
CVE-2025-63025	2 Wordpress, Xagio	2 Wordpress, Xagio Seo	2025-12-10	4.3 Medium
Missing Authorization vulnerability in Xagio SEO Xagio SEO xagio-seo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Xagio SEO: from n/a through <= 7.1.0.29.
CVE-2025-63024	2 Tychesoftwares, Wordpress	2 Order Delivery Date For Woocommerce, Wordpress	2025-12-10	5.4 Medium
Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1.
CVE-2025-13070	1 Wordpress	1 Wordpress	2025-12-10	N/A
The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.
CVE-2025-13031	2 Etruel, Wordpress	2 Wpematico Rss Feed Fetcher, Wordpress	2025-12-10	N/A
The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks
CVE-2025-13071	1 Wordpress	1 Wordpress	2025-12-10	N/A
The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2025-66527	1 Wordpress	1 Wordpress	2025-12-10	N/A
Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.
CVE-2025-67527	1 Wordpress	1 Wordpress	2025-12-10	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
CVE-2025-67474	2 Ultimatemember, Wordpress	2 Forumwp, Wordpress	2025-12-10	N/A
Missing Authorization vulnerability in Ultimate Member ForumWP forumwp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ForumWP: from n/a through <= 2.1.4.
CVE-2025-67572	1 Wordpress	1 Wordpress	2025-12-10	N/A
Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4.
CVE-2025-67533	2 Themify, Wordpress	2 Portfolio Post, Wordpress	2025-12-10	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Portfolio Post themify-portfolio-post allows Stored XSS.This issue affects Themify Portfolio Post: from n/a through <= 1.3.0.
CVE-2025-67552	1 Wordpress	1 Wordpress	2025-12-10	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WalkerWP Walker Core walker-core allows DOM-Based XSS.This issue affects Walker Core: from n/a through <= 1.3.17.
CVE-2025-67553	1 Wordpress	1 Wordpress	2025-12-10	N/A
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2.
CVE-2025-67516	2 Agile Logix, Wordpress	2 Store Locator Wordpress, Wordpress Mu	2025-12-10	N/A
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.
CVE-2025-67525	1 Wordpress	1 Wordpress	2025-12-10	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.
CVE-2025-67521	2 Select-themes, Wordpress	2 Select Core, Wordpress	2025-12-10	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6.
CVE-2025-67523	1 Wordpress	1 Wordpress	2025-12-10	N/A
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.
CVE-2025-67541	1 Wordpress	1 Wordpress	2025-12-10	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS.This issue affects WP-ShowHide: from n/a through <= 1.05.

Page 1 of 390. next last »