Filtered by vendor Wordpress
Subscriptions
Total
8044 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11376 | 2 Extendthemes, Wordpress | 2 Colibri Page Builder, Wordpress | 2025-12-15 | 6.4 Medium |
| The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'colibri_loop' shortcode in all versions up to, and including, 1.0.335 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14462 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.3 Medium |
| The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-13705 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 6.4 Medium |
| The Custom Frames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'customframe' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14288 | 2 Gallerycreator, Wordpress | 2 Gallery Blocks With Lightbox, Wordpress | 2025-12-15 | 4.3 Medium |
| The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. This is due to the plugin using the `edit_posts` capability check instead of `manage_options` for the `update_option` action type in the `pgc_sgb_action_wizard` AJAX handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify arbitrary plugin settings prefixed with `pgc_sgb_*`. | ||||
| CVE-2025-9218 | 4 Bbpress, Buddypress, Rtcamp and 1 more | 4 Bbpress, Buddypress, Rtmedia and 1 more | 2025-12-15 | 3.7 Low |
| The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts. | ||||
| CVE-2025-14451 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.7 Medium |
| The Solutions Ad Manager plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.0.0. This is due to insufficient validation on the redirect URL supplied via the 'sam-redirect-to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action. | ||||
| CVE-2025-12076 | 2 F1logic, Wordpress | 2 Wpsocial Auto Publish, Wordpress | 2025-12-15 | 6.1 Medium |
| The Social Media Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage parameter in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-7058 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 6.4 Medium |
| The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8617 | 2 Wordpress, Yithemes | 2 Wordpress, Yith Woocommerce Quick View | 2025-12-15 | 6.4 Medium |
| The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14539 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 5.4 Medium |
| The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2025-14508 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 6.5 Medium |
| The MediaCommander – Bring Folders to Media, Posts, and Pages plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the import-csv REST API endpoint in all versions up to, and including, 2.3.1. This is due to the endpoint using `upload_files` capability check (Author level) for a destructive operation that can delete all folders. This makes it possible for authenticated attackers, with Author-level access and above, to delete all folder organization data created by Administrators and other users. | ||||
| CVE-2025-11164 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.3 Medium |
| The Mavix Education theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mavix_education_activate_plugin' AJAX action in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Creativ Demo Importer plugin. | ||||
| CVE-2025-12077 | 2 F1logic, Wordpress | 2 Wp To Linkedin Auto Publish, Wordpress | 2025-12-15 | 6.1 Medium |
| The WP to LinkedIn Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-14394 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 4.3 Medium |
| The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12109 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 6.4 Medium |
| The Header Footer Script Adder – Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9488 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 6.4 Medium |
| The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8779 | 3 Elementor, Shamsbd71, Wordpress | 3 Elementor, All-in-one Addons For Elementor, Wordpress | 2025-12-15 | 6.4 Medium |
| The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10289 | 1 Wordpress | 1 Wordpress | 2025-12-15 | 5.9 Medium |
| The Filter & Grids plugin for WordPress is vulnerable to SQL Injection via the 'phrase' parameter in all versions up to, and including, 3.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This only works on MariaDB as the query results in a syntax error on MySQL. | ||||
| CVE-2025-7960 | 2 Kingaddons, Wordpress | 2 King Addons For Elementor, Wordpress | 2025-12-15 | 6.4 Medium |
| The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0969 | 2 Brizy, Wordpress | 3 Brizy, Brizy-page Builder, Wordpress | 2025-12-15 | 6.5 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators. | ||||