Filtered by vendor Wordpress
Subscriptions
Total
4847 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6572 | 3 Openstreetmap, Wordpress, Wpbakery | 4 Openstreetmap, Wordpress, Page Builder and 1 more | 2025-08-12 | 5.9 Medium |
| The OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.2.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2025-8690 | 2 Addix, Wordpress | 2 Simple Responsive Slider Plugin, Wordpress | 2025-08-12 | 6.4 Medium |
| The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-5391 | 2 Woocommerce, Wordpress | 3 Woocommerce, Woocommerce Purchase Orders Plugin, Wordpress | 2025-08-12 | 8.1 High |
| The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-8314 | 2 Emarket-design, Wordpress | 2 Software Issue Manager Plugin, Wordpress | 2025-08-12 | 6.4 Medium |
| The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-24000 | 2 Wordpress, Wpexperts | 2 Wordpress, Post Smtp | 2025-08-12 | 8.8 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0. | ||||
| CVE-2025-54940 | 2 Wordpress, Wpengine | 2 Wordpress, Advanced Custom Fields | 2025-08-12 | N/A |
| An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered. | ||||
| CVE-2025-4796 | 1 Wordpress | 1 Wordpress | 2025-08-12 | 8.8 High |
| The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2025-7726 | 2 Dream-theme, Wordpress | 2 The7, Wordpress | 2025-08-12 | 6.4 Medium |
| The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7965 | 1 Wordpress | 1 Wordpress | 2025-08-12 | 4.3 Medium |
| The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2025-4390 | 2 Nimeshrmr, Wordpress | 2 Wp Private Content Plus, Wordpress | 2025-08-12 | 5.3 Medium |
| The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages. | ||||
| CVE-2025-8685 | 2 Emilien, Wordpress | 2 Wp Chart Generator, Wordpress | 2025-08-12 | 6.4 Medium |
| The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8621 | 2 Odn, Wordpress | 2 Mosaic Generator, Wordpress | 2025-08-12 | 6.4 Medium |
| The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘c’ parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8462 | 2 Risethemes, Wordpress | 2 Rt Easy Builder, Wordpress | 2025-08-12 | 6.4 Medium |
| The RT Easy Builder – Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social URL parameter in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8568 | 2 Prabode, Wordpress | 2 Gmap Generator, Wordpress | 2025-08-12 | 6.4 Medium |
| The GMap Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘h’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8688 | 2 Ebernstein, Wordpress | 2 Inline Stock Quotes, Wordpress | 2025-08-12 | 6.4 Medium |
| The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8059 | 2 Bplugins, Wordpress | 2 B Blocks, Wordpress | 2025-08-12 | 9.8 Critical |
| The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role. | ||||
| CVE-2024-4361 | 2 Siteorigin, Wordpress | 2 Page Builder, Wordpress | 2025-08-12 | 6.4 Medium |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-54050 | 2 Cyberchimps, Wordpress | 2 Responsive Addons For Elementor, Wordpress | 2025-08-11 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Addons for Elementor allows Stored XSS. This issue affects Responsive Addons for Elementor: from n/a through 1.7.3. | ||||
| CVE-2025-4370 | 2 Brizy, Wordpress | 3 Brizy, Brizy-page Builder, Wordpress | 2025-08-11 | 5.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | ||||
| CVE-2025-5084 | 2 Addonmaster, Wordpress | 2 Post Grid Master, Wordpress | 2025-08-11 | 6.1 Medium |
| The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||