Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 11381 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32452	2 Themefusion, Wordpress	2 Fusion Builder, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.
CVE-2026-32453	2 Theme-fusion, Wordpress	2 Avada, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
CVE-2026-32454	2 Theme-fusion, Wordpress	2 Avada, Wordpress	2026-03-23	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Avada Core fusion-core allows DOM-Based XSS.This issue affects Avada Core: from n/a through < 5.15.0.
CVE-2026-32455	2 Realmag777, Wordpress	2 Mdtf, Wordpress	2026-03-23	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows DOM-Based XSS.This issue affects MDTF: from n/a through <= 1.3.5.
CVE-2026-32456	2 Janis Elsts, Wordpress	2 Admin Menu Editor, Wordpress	2026-03-23	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through <= 1.14.1.
CVE-2026-32457	2 Wombat Plugins, Wordpress	2 Advanced Product Fields Product Addons For Woocommerce, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Product Fields (Product Addons) for WooCommerce: from n/a through <= 1.6.18.
CVE-2026-32458	2 Realmag777, Wordpress	2 Wolf, Wordpress	2026-03-23	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection.This issue affects WOLF: from n/a through <= 1.0.8.7.
CVE-2026-32459	2 Flycart, Wordpress	2 Upsellwp, Wordpress	2026-03-23	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in flycart UpsellWP checkout-upsell-and-order-bumps allows Blind SQL Injection.This issue affects UpsellWP: from n/a through <= 2.2.4.
CVE-2026-32460	2 Themefic, Wordpress	2 Ultimate Addons For Contact Form 7, Wordpress	2026-03-23	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.36.
CVE-2026-32461	2 Really-simple-plugins, Wordpress	2 Really Simple Ssl, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n/a through <= 9.5.7.
CVE-2026-32462	2 Liton Arefin, Wordpress	2 Master Addons For Elementor, Wordpress	2026-03-23	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.1.3.
CVE-2026-32486	2 Wordpress, Wptravelengine	2 Wordpress, Travel Booking	2026-03-23	5.3 Medium
Missing Authorization vulnerability in wptravelengine Travel Booking travel-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel Booking: from n/a through <= 1.3.9.
CVE-2026-32487	2 Rarathemes, Wordpress	2 Lawyer Landing Page, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in raratheme Lawyer Landing Page lawyer-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Landing Page: from n/a through <= 1.2.7.
CVE-2026-32543	2 Cyberchimps, Wordpress	2 Responsive Blocks, Wordpress	2026-03-23	5.3 Medium
Missing Authorization vulnerability in CyberChimps Responsive Blocks responsive-block-editor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Blocks: from n/a through <= 2.2.0.
CVE-2026-28126	2 Sizam, Wordpress	2 Rh Frontend Publishing Pro, Wordpress	2026-03-23	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sizam RH Frontend Publishing Pro allows Reflected XSS.This issue affects RH Frontend Publishing Pro: from n/a before 4.3.4.
CVE-2026-22182	2 Gvectors, Wordpress	2 Wpdiscuz, Wordpress	2026-03-23	7.5 High
wpDiscuz before 7.6.47 contains an unauthenticated denial of service vulnerability that allows anonymous users to trigger mass notification emails by exploiting the checkNotificationType() function. Attackers can repeatedly call the wpdiscuz-ajax.php endpoint with arbitrary postId and comment_id parameters to flood subscribers with notifications, as the handler lacks nonce verification, authentication checks, and rate limiting.
CVE-2026-22183	2 Gvectors, Wordpress	2 Wpdiscuz, Wordpress	2026-03-23	6.1 Medium
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping.
CVE-2026-22192	2 Gvectors, Wordpress	2 Wpdiscuz, Wordpress	2026-03-23	6.1 Medium
wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by importing a crafted options file with unescaped customCss field values. Attackers can supply a malicious JSON import file containing script payloads in the customCss parameter that execute on every page when rendered through the options handler without proper sanitization.
CVE-2026-22193	2 Gvectors, Wordpress	2 Wpdiscuz, Wordpress	2026-03-23	8.1 High
wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.
CVE-2026-22199	2 Gvectors, Wordpress	2 Wpdiscuz, Wordpress	2026-03-23	5.3 Medium
wpDiscuz before 7.6.47 contains a vote manipulation vulnerability that allows attackers to manipulate comment votes by obtaining fresh nonces and bypassing rate limiting through client-controlled headers. Attackers can vary User-Agent headers to reset rate limits, request nonces from the unauthenticated wpdGetNonce endpoint, and vote multiple times using IP rotation or reverse proxy header manipulation.

« first previous Page 27 of 570. next last »