Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 4936 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-54042	1 Wordpress	1 Wordpress	2025-07-21	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in xfinitysoft WP Post Hide allows Cross Site Request Forgery. This issue affects WP Post Hide: from n/a through 1.0.9.
CVE-2025-54024	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.5.
CVE-2025-53986	1 Wordpress	1 Wordpress	2025-07-21	5.3 Medium
Missing Authorization vulnerability in ThemeIsle Hestia allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Hestia: from n/a through 3.2.10.
CVE-2025-53994	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows DOM-Based XSS. This issue affects JetPopup: from n/a through 2.0.15.
CVE-2025-53996	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows Stored XSS. This issue affects JetSearch: from n/a through 3.5.10.1.
CVE-2025-54016	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Gilman Videopack allows DOM-Based XSS. This issue affects Videopack: from n/a through 4.10.3.
CVE-2025-54043	1 Wordpress	1 Wordpress	2025-07-21	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES allows SQL Injection. This issue affects SMTP for Amazon SES: from n/a through 1.9.
CVE-2025-48150	1 Wordpress	1 Wordpress	2025-07-21	4.3 Medium
Missing Authorization vulnerability in Bill Minozzi Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin: from n/a through 4.48.
CVE-2025-53990	1 Wordpress	1 Wordpress	2025-07-21	7.2 High
Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2.
CVE-2025-48167	1 Wordpress	1 Wordpress	2025-07-21	5.4 Medium
Missing Authorization vulnerability in alexvtn Chatbox Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chatbox Manager: from n/a through 1.2.5.
CVE-2025-54010	1 Wordpress	1 Wordpress	2025-07-21	9.6 Critical
Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets allows Cross Site Request Forgery. This issue affects FluentSnippets: from n/a through 10.50.
CVE-2025-53991	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTricks allows Stored XSS. This issue affects JetTricks: from n/a through 1.5.4.1.
CVE-2025-5845	1 Wordpress	1 Wordpress	2025-07-21	6.4 Medium
The Affiliate Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘numColumns’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-48155	1 Wordpress	1 Wordpress	2025-07-21	5.3 Medium
Missing Authorization vulnerability in enituretechnology Residential Address Detection allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Residential Address Detection: from n/a through 2.5.9.
CVE-2025-54037	2 Blazethemes, Wordpress	2 News Kit Elementor Addons, Wordpress	2025-07-21	5.4 Medium
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects News Kit Elementor Addons: from n/a through 1.3.4.
CVE-2025-48161	2 Wordpress, Yaycommerce	2 Wordpress, Yaysmtp	2025-07-21	7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows SQL Injection. This issue affects YaySMTP: from n/a through 1.3.
CVE-2025-53997	2 Favethemes, Wordpress	2 Houzez, Wordpress	2025-07-21	4.3 Medium
Missing Authorization vulnerability in favethemes Houzez allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Houzez: from n/a through 4.0.4.
CVE-2025-48156	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Parakoos Image Wall allows Stored XSS. This issue affects Image Wall: from n/a through 3.1.
CVE-2025-54009	1 Wordpress	1 Wordpress	2025-07-21	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSmartFilters allows Stored XSS. This issue affects JetSmartFilters: from n/a through 3.6.8.
CVE-2025-5843	1 Wordpress	1 Wordpress	2025-07-21	6.4 Medium
The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 5.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

« first previous Page 16 of 247. next last »