Filtered by vendor Wordpress
Subscriptions
Total
9026 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12483 | 2 Themeisle, Wordpress | 2 Visualizer, Wordpress | 2026-01-07 | 6.5 Medium |
| The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability. | ||||
| CVE-2025-12370 | 1 Wordpress | 1 Wordpress | 2026-01-07 | 4.3 Medium |
| The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the plugin's configuration options. | ||||
| CVE-2025-69091 | 2 Kraftplugins, Wordpress | 2 Demo Importer Plus, Wordpress | 2026-01-07 | 4.3 Medium |
| Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8. | ||||
| CVE-2025-59593 | 2 Extendthemes, Wordpress | 2 Colibri Page Builder, Wordpress | 2026-01-07 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334. | ||||
| CVE-2025-58935 | 2 Axiomthemes, Wordpress | 2 Lunna, Wordpress | 2026-01-06 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lunna lunna allows PHP Local File Inclusion.This issue affects Lunna: from n/a through <= 1.15. | ||||
| CVE-2023-47232 | 2 Mojofywp, Wordpress | 2 Wp Affiliate Disclosure, Wordpress | 2026-01-06 | 4.3 Medium |
| Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6. | ||||
| CVE-2025-53435 | 2 Axiomthemes, Wordpress | 2 Plan My Day, Wordpress | 2026-01-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Plan My Day planmyday allows PHP Local File Inclusion.This issue affects Plan My Day: from n/a through <= 1.1.13. | ||||
| CVE-2025-53438 | 2 Axiomthemes, Wordpress | 2 Fitline, Wordpress | 2026-01-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitLine fitline allows PHP Local File Inclusion.This issue affects FitLine: from n/a through <= 1.6. | ||||
| CVE-2025-53439 | 2 Axiomthemes, Wordpress | 2 Harper, Wordpress | 2026-01-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13. | ||||
| CVE-2025-53441 | 2 Axiomthemes, Wordpress | 2 Greeny, Wordpress | 2026-01-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Greeny greeny allows PHP Local File Inclusion.This issue affects Greeny: from n/a through <= 2.6. | ||||
| CVE-2025-53442 | 2 Axiomthemes, Wordpress | 2 Rentic, Wordpress | 2026-01-06 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rentic rentic allows PHP Local File Inclusion.This issue affects Rentic: from n/a through <= 1.1. | ||||
| CVE-2025-14047 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment. | ||||
| CVE-2025-14998 | 2 Wordpress, Wpmudev | 2 Wordpress, Branda | 2026-01-05 | 9.8 Critical |
| The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.24. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-62137 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shuttlethemes Shuttle allows Stored XSS.This issue affects Shuttle: from n/a through 1.5.0. | ||||
| CVE-2025-62758 | 2 Funnelforms, Wordpress | 2 Funnelforms Free, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Funnelforms Funnelforms Free allows DOM-Based XSS.This issue affects Funnelforms Free: from n/a through 3.8. | ||||
| CVE-2025-62759 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series allows Stored XSS.This issue affects Series: from n/a through 2.0.1. | ||||
| CVE-2025-62760 | 2 Buddypress, Wordpress | 2 Buddypress, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. | ||||
| CVE-2025-63000 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. | ||||
| CVE-2025-13820 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. | ||||
| CVE-2025-14627 | 2 Smackcoders, Wordpress | 4 An Ultimate Wordpress Importer Cum Migration As Csv \& Xml, Ultimate Csv Importer, Wp Ultimate Csv Importer and 1 more | 2026-01-05 | 6.4 Medium |
| The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data. | ||||