Filtered by vendor Wordpress
Subscriptions
Total
9026 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-69351 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4. | ||||
| CVE-2025-69356 | 3 Codexthemes, Elementor, Wordpress | 3 Thegem, Elementor, Wordpress | 2026-01-08 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | ||||
| CVE-2025-69357 | 3 Codexthemes, Elementor, Wordpress | 3 Thegem, Elementor, Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0. | ||||
| CVE-2025-69359 | 2 Wordpress, Wpfunnels | 2 Wordpress, Creator Lms | 2026-01-08 | N/A |
| Missing Authorization vulnerability in WPFunnels Creator LMS creatorlms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Creator LMS: from n/a through <= 1.1.12. | ||||
| CVE-2025-69361 | 2 Publishpress, Wordpress | 2 Post Expirator, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3. | ||||
| CVE-2025-69363 | 2 Cyberchimps, Wordpress | 2 Responsive Addons For Elementor, Wordpress | 2026-01-08 | N/A |
| Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8. | ||||
| CVE-2025-12648 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames. | ||||
| CVE-2024-30547 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3. | ||||
| CVE-2024-31088 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPShop.Ru AdsPlace'r – Ad Manager, Inserter, AdSense Ads allows DOM-Based XSS.This issue affects AdsPlace'r – Ad Manager, Inserter, AdSense Ads: from n/a through 1.1.5. | ||||
| CVE-2025-11370 | 2 Averta, Wordpress | 3 Depicter Slider, Slider And Popup Builder By Depicter, Wordpress | 2026-01-08 | 5.3 Medium |
| The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | ||||
| CVE-2025-11877 | 2 Solwininfotech, Wordpress | 2 User Activity Log, Wordpress | 2026-01-08 | 7.5 High |
| The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | ||||
| CVE-2025-12030 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 4.3 Medium |
| The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site. | ||||
| CVE-2025-12067 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 6.4 Medium |
| The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12449 | 2 Kodezen, Wordpress | 2 Ablocks, Wordpress | 2026-01-08 | 5.4 Medium |
| The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | ||||
| CVE-2025-13215 | 2 Averta, Wordpress | 2 Shortcodes And Extra Features For Phlox Theme, Wordpress | 2026-01-08 | 5.3 Medium |
| The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to. | ||||
| CVE-2025-13409 | 2 Wordpress, Wpvibes | 2 Wordpress, Form Vibes | 2026-01-08 | 4.9 Medium |
| The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-13746 | 2 Ultimatemember, Wordpress | 2 Forumwp, Wordpress | 2026-01-08 | 6.4 Medium |
| The ForumWP – Forum & Discussion Board plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User's Display Name in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13766 | 2 Stylemix, Wordpress | 2 Masterstudy Lms Wordpress Plugin, Wordpress | 2026-01-08 | 5.4 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | ||||
| CVE-2025-13812 | 2 Gamipress, Wordpress | 2 Gamipress, Wordpress | 2026-01-08 | 4.3 Medium |
| The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | ||||
| CVE-2025-13964 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2026-01-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | ||||