Filtered by vendor Wordpress
Subscriptions
Total
8467 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-3666 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 3.3 Low |
| The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-32444 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation.This issue affects RealHomes: from n/a through 4.3.6. | ||||
| CVE-2025-3701 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 4.3 Medium |
| Missing Authorization vulnerability in Malcure Web Security Malcure Malware Scanner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Malcure Malware Scanner: from n/a through 16.8. | ||||
| CVE-2025-9260 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.5 Medium |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused a fatal error in the vulnerable code, due to a missing class import, so we consider 6.1.2 to be the most complete and best patched version | ||||
| CVE-2025-9219 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 4.3 Medium |
| The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions. | ||||
| CVE-2025-9378 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.4 Medium |
| The Vayu Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58600 | 2 Cozmoslabs, Wordpress | 2 Paid Member Subscriptions, Wordpress | 2025-09-04 | 5.3 Medium |
| Missing Authorization vulnerability in Cozmoslabs Paid Member Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Member Subscriptions: from n/a through 2.15.9. | ||||
| CVE-2025-58616 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.5 Medium |
| Missing Authorization vulnerability in Frisbii Frisbii Pay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Frisbii Pay: from n/a through 1.8.2.1. | ||||
| CVE-2025-58615 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in gfazioli WP Bannerize Pro allows Server Side Request Forgery. This issue affects WP Bannerize Pro: from n/a through 1.10.0. | ||||
| CVE-2025-58614 | 2 Tooltipy, Wordpress | 2 Tooltipy, Wordpress | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jamel.Z Tooltipy allows Stored XSS. This issue affects Tooltipy: from n/a through 5.5.6. | ||||
| CVE-2025-58611 | 2 Tickera, Wordpress | 2 Tickera, Wordpress | 2025-09-04 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Tickera Tickera allows Cross Site Request Forgery. This issue affects Tickera: from n/a through 3.5.5.6. | ||||
| CVE-2025-58609 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Iulia Cazan Latest Post Shortcode allows Stored XSS. This issue affects Latest Post Shortcode: from n/a through 14.0.3. | ||||
| CVE-2025-58617 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 4.3 Medium |
| Missing Authorization vulnerability in FAKTOR VIER F4 Media Taxonomies allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects F4 Media Taxonomies: from n/a through 1.1.4. | ||||
| CVE-2025-58620 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for WPForms allows Stored XSS. This issue affects PDF for WPForms: from n/a through 6.2.1. | ||||
| CVE-2025-58606 | 2 Cozythemes, Wordpress | 2 Saaslauncher, Wordpress | 2025-09-04 | 5 Medium |
| Missing Authorization vulnerability in CozyThemes SaasLauncher allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SaasLauncher: from n/a through 1.3.0. | ||||
| CVE-2025-58624 | 1 Wordpress | 1 Wordpress | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in falselight Exchange Rates allows Stored XSS. This issue affects Exchange Rates: from n/a through 1.2.5. | ||||
| CVE-2025-58626 | 2 Rumbletalk, Wordpress | 2 Live Group Chat Plugin, Wordpress | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RumbleTalk RumbleTalk Live Group Chat allows Stored XSS. This issue affects RumbleTalk Live Group Chat: from n/a through 6.3.5. | ||||
| CVE-2025-58632 | 2 Dadevarzan, Wordpress | 2 Wordpress Common Plugin, Wordpress | 2025-09-04 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dadevarzan Dadevarzan WordPress Common allows Stored XSS. This issue affects Dadevarzan WordPress Common: from n/a through 2.2.2. | ||||
| CVE-2025-58639 | 2 Contact Form By Mega Forms Project, Wordpress | 2 Contact Form By Mega Forms, Wordpress | 2025-09-04 | 5.4 Medium |
| Missing Authorization vulnerability in Ali Khallad Contact Form By Mega Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form By Mega Forms: from n/a through 1.6.1. | ||||
| CVE-2025-58642 | 2 Enituretechnology, Wordpress | 2 Ltl Freight Quotes, Wordpress | 2025-09-04 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Day & Ross Edition allows Object Injection. This issue affects LTL Freight Quotes – Day & Ross Edition: from n/a through 2.1.11. | ||||