Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11882 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10019 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2026-04-15 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. | ||||
| CVE-2024-33548 | 2 Aa-team, Wordpress | 2 Wzone, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team WZone allows Reflected XSS.This issue affects WZone: from n/a through 14.0.10. | ||||
| CVE-2025-9894 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronization from Feedly, potentially creating multiple posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-23476 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in isnowfy my-related-posts my-related-posts allows Stored XSS.This issue affects my-related-posts: from n/a through <= 1.1. | ||||
| CVE-2025-67523 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9. | ||||
| CVE-2025-8562 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information. | ||||
| CVE-2024-10667 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Content Slider Block plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.1.5 via the [csb] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-7839 | 2 Pokornydavid, Wordpress | 2 Restore Delete Post Or Page Data Plugin, Wordpress | 2026-04-15 | 4.3 Medium |
| The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-67521 | 2 Select-themes, Wordpress | 2 Select Core, Wordpress | 2026-04-15 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Select Core select-core allows PHP Local File Inclusion.This issue affects Select Core: from n/a through < 2.6. | ||||
| CVE-2025-49909 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Bookmark & Follow penci-bookmark-follow allows Reflected XSS.This issue affects Penci Bookmark & Follow: from n/a through < 2.4. | ||||
| CVE-2024-10688 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-22532 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in snagysandor Simple Photo Sphere simple-photo-sphere allows Stored XSS.This issue affects Simple Photo Sphere: from n/a through <= 0.0.10. | ||||
| CVE-2025-13531 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-22536 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiren.sabd WP Music Player wp-music-player allows SQL Injection.This issue affects WP Music Player: from n/a through <= 1.3. | ||||
| CVE-2025-66533 | 2 Stellarwp, Wordpress | 2 Givewp, Wordpress | 2026-04-15 | 7.8 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1. | ||||
| CVE-2025-49386 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Scott Reilly Preserve Code Formatting preserve-code-formatting allows Object Injection.This issue affects Preserve Code Formatting: from n/a through <= 4.0.1. | ||||
| CVE-2024-10938 | 2 Moneytigo, Wordpress | 2 Ovri Payment, Wordpress | 2026-04-15 | 6.5 Medium |
| The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site. | ||||
| CVE-2025-23502 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Ned Curated Search curated-search allows Stored XSS.This issue affects Curated Search: from n/a through <= 1.2. | ||||
| CVE-2025-49280 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magty magty allows PHP Local File Inclusion.This issue affects Magty: from n/a through <= 1.0.6. | ||||
| CVE-2025-22577 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Damion Armentrout Able Player wp-able-player allows DOM-Based XSS.This issue affects Able Player: from n/a through <= 1.0. | ||||