Filtered by vendor Wordpress
Subscriptions
Total
9026 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14428 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 4.3 Medium |
| The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. | ||||
| CVE-2017-20207 | 3 Dan Coulter, Dancoulter, Wordpress | 3 Flickr Gallery, Flickr Gallery, Wordpress | 2026-01-05 | 9.8 Critical |
| The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors. | ||||
| CVE-2025-59003 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.8 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3. | ||||
| CVE-2025-14155 | 3 Elementor, Leap13, Wordpress | 4 Elementor, Premium Addons, Premium Addons For Elementor and 1 more | 2026-01-05 | 5.3 Medium |
| The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | ||||
| CVE-2025-14163 | 2 Leap13, Wordpress | 2 Premium Addons For Elementor, Wordpress | 2026-01-05 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | ||||
| CVE-2024-6719 | 2 Webgarh, Wordpress | 2 Offload Videos, Wordpress | 2026-01-05 | 8.1 High |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | ||||
| CVE-2025-62138 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7. | ||||
| CVE-2025-62134 | 2 Awplife, Wordpress | 2 Contact Form Widget, Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through 1.5.1. | ||||
| CVE-2025-62120 | 2 Rickbeckman, Wordpress | 2 Openhook, Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through 4.3.1. | ||||
| CVE-2025-62117 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704. | ||||
| CVE-2025-62888 | 2 Marcomilesi, Wordpress | 2 Wp Attachments, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Marco Milesi WP Attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through 5.2. | ||||
| CVE-2025-62108 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in SaifuMak Add Custom Codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through 4.80. | ||||
| CVE-2025-62091 | 2 Vollstart, Wordpress | 2 Serial Codes Generator And Validator With Woocommerce Support, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.8.2. | ||||
| CVE-2025-62098 | 2 Totalsoft, Wordpress | 2 Portfolio Gallery, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Totalsoft Portfolio Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through 1.4.8. | ||||
| CVE-2025-49349 | 2 Reuters News Agency, Wordpress | 2 Reuters Direct, Wordpress | 2026-01-05 | 5.3 Medium |
| Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0. | ||||
| CVE-2024-4439 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 7.2 High |
| WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar. | ||||
| CVE-2025-63001 | 2 Nicdark, Wordpress | 2 Hotel Booking, Wordpress | 2026-01-05 | 5.3 Medium |
| Missing Authorization vulnerability in nicdark Hotel Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through 3.8. | ||||
| CVE-2025-11924 | 2 Ninjaforms, Wordpress | 2 Ninja Forms, Wordpress | 2026-01-05 | 7.5 High |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the `ninja-forms-views` REST endpoints return form metadata and submission content. This makes it possible for unauthenticated attackers to read arbitrary form definitions and submission records via a leaked bearer token granted they can load any page containing the Submissions Table block. NOTE: The developer released a patch for this issue in 3.13.1, but inadvertently introduced a REST API endpoint in which a valid bearer token could be minted for arbitrary form IDs, making this patch ineffective. | ||||
| CVE-2025-63053 | 2 Jeweltheme, Wordpress | 2 Master Addons For Elementor, Wordpress | 2026-01-05 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4. | ||||
| CVE-2025-58937 | 2 Axiomthemes, Wordpress | 2 Tacticool, Wordpress | 2026-01-05 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Tacticool tacticool allows PHP Local File Inclusion.This issue affects Tacticool: from n/a through <= 1.0.13. | ||||