Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
11819 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-22689 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Levan Tarbor Forex Calculators fx-calculators allows Stored XSS.This issue affects Forex Calculators: from n/a through <= 1.3.6. | ||||
| CVE-2025-57926 | 2 Wordpress, Wpchill | 2 Wordpress, Passster | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Passster content-protector allows Stored XSS.This issue affects Passster: from n/a through <= 4.2.18. | ||||
| CVE-2025-14047 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | ||||
| CVE-2025-23979 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in duwasai Flashy allows Reflected XSS.This issue affects Flashy: from n/a through 1.2.1. | ||||
| CVE-2025-57954 | 2 Ays-pro, Wordpress | 2 Poll Maker, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Poll Maker poll-maker allows DOM-Based XSS.This issue affects Poll Maker: from n/a through <= 6.0.2. | ||||
| CVE-2025-22542 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot virtual-bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through <= 1.0.0. | ||||
| CVE-2025-53574 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ptibogxiv Doliconnect doliconnect allows Reflected XSS.This issue affects Doliconnect: from n/a through <= 9.3.2. | ||||
| CVE-2024-47310 | 2 Ari-soft, Wordpress | 2 Ari Fancy Lightbox, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft ARI Fancy Lightbox ari-fancy-lightbox allows Stored XSS.This issue affects ARI Fancy Lightbox: from n/a through <= 1.3.17. | ||||
| CVE-2025-49422 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Incorrect Privilege Assignment vulnerability in themepassion Support Ticket support-ticket allows Privilege Escalation.This issue affects Support Ticket: from n/a through <= 1.9. | ||||
| CVE-2025-49424 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Support Ticket support-ticket allows Reflected XSS.This issue affects Support Ticket: from n/a through <= 1.9. | ||||
| CVE-2025-49438 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3. | ||||
| CVE-2025-32303 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mojoomla WPCHURCH allows Blind SQL Injection.This issue affects WPCHURCH: from n/a through 2.7.0. | ||||
| CVE-2025-22563 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in faaiq Pretty Url pretty-url allows Cross Site Request Forgery.This issue affects Pretty Url: from n/a through <= 1.5.5. | ||||
| CVE-2025-22576 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus Downing Site PIN site-pin allows Reflected XSS.This issue affects Site PIN: from n/a through <= 1.3. | ||||
| CVE-2025-13320 | 2 Wordpress, Wpusermanager | 2 Wordpress, Wp User Manager | 2026-04-15 | 6.8 Medium |
| The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled. | ||||
| CVE-2025-13440 | 2 Premmerce, Wordpress | 2 Wishlist For Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists. | ||||
| CVE-2025-22592 | 2 Lenderd, Wordpress | 2 1003 Mortgage Application, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in 8blocks 1003 Mortgage Application 1003-mortgage-application allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects 1003 Mortgage Application: from n/a through <= 1.87. | ||||
| CVE-2025-57935 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ricky Dawn Bot Block – Stop Spam Referrals in Google Analytics bot-block-stop-spam-google-analytics-referrals allows Stored XSS.This issue affects Bot Block – Stop Spam Referrals in Google Analytics: from n/a through <= 2.6. | ||||
| CVE-2025-46494 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. | ||||
| CVE-2025-8588 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Gutenberg Blocks – PublishPress Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Marker Title' and 'Marker Description' parameters for the Maps block in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||