Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 10428 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-49390	2 Christophrado, Wordpress	2 Cookie Notice & Consent, Wordpress	2026-01-20	5.4 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in christophrado Cookie Notice & Consent cookie-notice-consent allows Stored XSS.This issue affects Cookie Notice & Consent: from n/a through <= 1.6.4.
CVE-2025-48290	2 Bslthemes, Wordpress	2 Kinsley, Wordpress	2026-01-20	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Kinsley kinsley allows PHP Local File Inclusion.This issue affects Kinsley: from n/a through <= 3.4.4.
CVE-2025-48330	1 Wordpress	1 Wordpress	2026-01-20	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Daman Jeet Real Time Validation for Gravity Forms real-time-validation-for-gravity-forms allows PHP Local File Inclusion.This issue affects Real Time Validation for Gravity Forms: from n/a through <= 1.7.0.
CVE-2025-49042	2 Automattic, Wordpress	2 Woocommerce, Wordpress	2026-01-20	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.
CVE-2025-48090	2 Cocobasic, Wordpress	2 Blanka, Wordpress	2026-01-20	8.2 High
Path Traversal: '.../...//' vulnerability in CocoBasic Blanka - One Page WordPress Theme blanka-wp allows PHP Local File Inclusion.This issue affects Blanka - One Page WordPress Theme: from n/a through < 1.5.
CVE-2025-48089	2 Rainbow-themes, Wordpress	2 Education Wordpress Theme, Wordpress	2026-01-20	9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme \| HiStudy histudy allows SQL Injection.This issue affects Education WordPress Theme \| HiStudy: from n/a through < 3.1.0.
CVE-2025-48083	1 Wordpress	1 Wordpress	2026-01-20	8.8 High
Cross-Site Request Forgery (CSRF) vulnerability in andriassundskard wpNamedUsers wpnamedusers allows Stored XSS.This issue affects wpNamedUsers: from n/a through <= 0.5.
CVE-2025-48086	2 Wordpress, Wp-dreams	2 Wordpress, Ajax Search	2026-01-20	9.8 Critical
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.This issue affects Ajax Search Lite: from n/a through <= 4.13.3.
CVE-2025-48078	1 Wordpress	1 Wordpress	2026-01-20	8.8 High
Cross-Site Request Forgery (CSRF) vulnerability in Norbert Slick Google Map slick-google-map allows Stored XSS.This issue affects Slick Google Map: from n/a through <= 0.3.
CVE-2025-48085	2 Wordpress, Zipang	2 Wordpress, Simple Stripe	2026-01-20	8.8 High
Cross-Site Request Forgery (CSRF) vulnerability in ZIPANG Simple Stripe simple-stripe allows Stored XSS.This issue affects Simple Stripe: from n/a through <= 0.9.17.
CVE-2025-47588	2 Acowebs, Wordpress	2 Dynamic Pricing With Discount Rules For Woocommerce, Wordpress	2026-01-20	9.8 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.This issue affects Dynamic Pricing With Discount Rules for WooCommerce: from n/a through <= 4.5.9.
CVE-2025-48077	1 Wordpress	1 Wordpress	2026-01-20	8.8 High
Cross-Site Request Forgery (CSRF) vulnerability in nitinmaurya12 Block Country block-country allows Stored XSS.This issue affects Block Country: from n/a through <= 1.0.
CVE-2025-39468	1 Wordpress	1 Wordpress	2026-01-20	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
CVE-2025-39466	2 Mikado-themes, Wordpress	2 Dor, Wordpress	2026-01-20	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.
CVE-2025-39465	2 Flippercode, Wordpress	2 Advanced Google Maps, Wordpress	2026-01-20	8.1 High
Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Google Maps: from n/a through <= 5.8.4.
CVE-2025-39463	1 Wordpress	1 Wordpress	2026-01-20	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Dessau dessau allows PHP Local File Inclusion.This issue affects Dessau: from n/a through < 1.9.
CVE-2025-32222	1 Wordpress	1 Wordpress	2026-01-20	9.8 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.This issue affects Widget Logic: from n/a through <= 6.0.5.
CVE-2025-22288	2 Wordpress, Wpmudev	2 Wordpress, Smush Image Compression And Optimization	2026-01-20	4.1 Medium
Path Traversal: '.../...//' vulnerability in WPMU DEV - Your All-in-One WordPress Platform Smush Image Compression and Optimization wp-smushit allows Path Traversal.This issue affects Smush Image Compression and Optimization: from n/a through <= 3.17.0.
CVE-2025-31029	1 Wordpress	1 Wordpress	2026-01-20	5.4 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bingu replyMail replymail allows Stored XSS.This issue affects replyMail: from n/a through <= 1.2.0.
CVE-2025-6207	2 Vjinfotech, Wordpress	2 Wp Import Export Lite, Wordpress	2026-01-19	7.5 High
The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.

« first previous Page 146 of 522. next last »