Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11766 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12903 | 3 Mrclayton, Woocommerce, Wordpress | 3 Payment Plugins Braintree For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 7.5 High |
| The Payment Plugins Braintree For WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wc-braintree/v1/3ds/vaulted_nonce REST API endpoint in all versions up to, and including, 3.2.78. This is due to the endpoint being registered with permission_callback set to __return_true and processing user-supplied token IDs without verifying ownership or authentication. This makes it possible for unauthenticated attackers to retrieve payment method nonces for any stored payment token in the system, which can be used to create fraudulent transactions, charge customer credit cards, or attach payment methods to other subscriptions. | ||||
| CVE-2025-12778 | 3 Elementor, Userelements, Wordpress | 3 Elementor, Ultimate Member Widgets For Elementor, Wordpress | 2026-04-15 | 5.3 Medium |
| The Ultimate Member Widgets for Elementor – WordPress User Directory plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_filter_users function in all versions up to, and including, 2.3. This makes it possible for unauthenticated attackers to extract partial metadata of all WordPress users, including their first name, last name and email addresses. | ||||
| CVE-2018-25106 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in webuidesigning NebulaX Theme up to 5.0 on WordPress. This issue affects the function nebula_send_to_hubspot of the file libs/Legacy/Legacy.php. The manipulation leads to sql injection. The attack may be initiated remotely. The patch is named 41230a81db0f671c570c2644bc2f80565ca83c5a. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2025-25087 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim seekXL Snapr seekxl-snapr allows Reflected XSS.This issue affects seekXL Snapr: from n/a through <= 2.0.6. | ||||
| CVE-2025-57941 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JonathanMH Append Link on Copy append-link-on-copy allows Stored XSS.This issue affects Append Link on Copy: from n/a through <= 0.2. | ||||
| CVE-2024-12520 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Dominion – Domain Checker for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dominion_shortcodes_domain_search_6' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-57947 | 2 Ays-pro, Wordpress | 2 Photo Gallery, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Photo Gallery by Ays gallery-photo-gallery allows DOM-Based XSS.This issue affects Photo Gallery by Ays: from n/a through <= 6.3.8. | ||||
| CVE-2012-10025 | 3 Accesspressthemes, Advanced Custom Fields, Wordpress | 3 Frontend Post Wordpress Plugin, Advanced Custom Fields Wordpress Plugin, Wordpress | 2026-04-15 | N/A |
| The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host. | ||||
| CVE-2011-10033 | 3 Disable Wordpress Update Notifications And Auto-update Email Notifications Project, Is-human, Wordpress | 3 Is-human Plugin, Is-human Wordpress Plugin, Wordpress | 2026-04-15 | N/A |
| The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012. | ||||
| CVE-2025-25157 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpchurchteam WP Church Center wp-church-center allows Reflected XSS.This issue affects WP Church Center: from n/a through <= 1.3.3. | ||||
| CVE-2025-62891 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) off-canvas-sidebars allows Cross Site Request Forgery.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through <= 0.5.8.5. | ||||
| CVE-2024-14015 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The WordPress eCommerce Plugin WordPress plugin through 2.9.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-10144 | 2 Quadlayers, Wordpress | 2 Perfect Brands For Woocommerce, Wordpress | 2026-04-15 | 6.5 Medium |
| The Perfect Brands for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the `brands` attribute of the `products` shortcode in all versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-13959 | 2 Shanaver, Wordpress | 2 Filestack, Wordpress | 2026-04-15 | 6.4 Medium |
| The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-57965 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP CodeUs WP Proposals allows Stored XSS. This issue affects WP Proposals: from n/a through 2.3. | ||||
| CVE-2025-12628 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| The WP 2FA WordPress plugin does not generate backup codes with enough entropy, which could allow attackers to bypass the second factor by brute forcing them | ||||
| CVE-2025-62911 | 2 Rockcontent, Wordpress | 2 Rock Convert, Wordpress | 2026-04-15 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rock Content Rock Convert rock-convert allows Stored XSS.This issue affects Rock Convert: from n/a through <= 3.0.1. | ||||
| CVE-2025-62916 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Missing Authorization vulnerability in Travon WP Flights & Hotels Booking WP Plugin adiaha-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flights & Hotels Booking WP Plugin: from n/a through <= 3.1. | ||||
| CVE-2025-12116 | 2 Thinkupthemes, Wordpress | 2 Drift, Wordpress | 2026-04-15 | 6.4 Medium |
| The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12136 | 2 Devowl, Wordpress | 2 Wordpress Real Cookie Banner, Wordpress | 2026-04-15 | 6.8 Medium |
| The Real Cookie Banner: GDPR & ePrivacy Cookie Consent plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.2.4. This is due to insufficient validation on the user-supplied URL in the '/scanner/scan-without-login' REST API endpoint. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the `url` parameter. | ||||