Filtered by vendor Wordpress
Subscriptions
Total
5178 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-46470 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 4.3 Medium |
| Missing Authorization vulnerability in Peter Raschendorfer Smart Hashtags [#hashtagger] allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Hashtags [#hashtagger]: from n/a through 7.2.3. | ||||
| CVE-2025-46472 | 2 Webangon, Wordpress | 2 The Pack Elementor Addons, Wordpress | 2025-04-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon The Pack Elementor addons allows Stored XSS. This issue affects The Pack Elementor addons: from n/a through 2.1.2. | ||||
| CVE-2025-46495 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in tomontoast Drop Caps allows Stored XSS. This issue affects Drop Caps: from n/a through 2.1. | ||||
| CVE-2025-46497 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Navegg Navegg Analytics allows Stored XSS. This issue affects Navegg Analytics: from n/a through 3.3.3. | ||||
| CVE-2025-46531 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Ankur Vishwakarma WP AVCL Automation Helper (formerly WPFlyLeads) allows Server Side Request Forgery. This issue affects WP AVCL Automation Helper (formerly WPFlyLeads): from n/a through 3.4. | ||||
| CVE-2025-2238 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 8.8 High |
| The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30. This is due to insufficient user_meta restrictions in the 'vikinger_user_meta_update_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator-level. | ||||
| CVE-2025-46538 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webplanetsoft Inline Text Popup allows DOM-Based XSS. This issue affects Inline Text Popup: from n/a through 1.0.0. | ||||
| CVE-2025-1565 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 7.5 High |
| The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-46230 | 2 Ghozylab, Wordpress | 2 Popup Builder, Wordpress | 2025-04-29 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GhozyLab Popup Builder allows PHP Local File Inclusion. This issue affects Popup Builder: from n/a through 1.1.35. | ||||
| CVE-2025-46260 | 2 Wordpress, Wowdevs | 2 Wordpress, Sky Addons For Elementor | 2025-04-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wowDevs Sky Addons for Elementor allows Stored XSS. This issue affects Sky Addons for Elementor: from n/a through 3.0.1. | ||||
| CVE-2025-46442 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Casey Johnson Loan Calculator allows Stored XSS. This issue affects Loan Calculator: from n/a through 1.3. | ||||
| CVE-2025-46449 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Novium WoWHead Tooltips allows Stored XSS. This issue affects WoWHead Tooltips: from n/a through 2.0.1. | ||||
| CVE-2025-46452 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Olav Kolbu Google News allows Stored XSS. This issue affects Google News: from n/a through 2.5.1. | ||||
| CVE-2025-46467 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rahendra Putra K™ RAphicon allows DOM-Based XSS. This issue affects RAphicon: from n/a through 2.1.2. | ||||
| CVE-2025-46477 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Carlo La Pera WP Customize Login Page allows Stored XSS. This issue affects WP Customize Login Page: from n/a through 1.6.5. | ||||
| CVE-2025-46485 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 5.3 Medium |
| Missing Authorization vulnerability in Carlo La Pera WP Customize Login Page allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Customize Login Page: from n/a through 1.6.5. | ||||
| CVE-2025-46503 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in josheli Simple Google Photos Grid allows Server Side Request Forgery. This issue affects Simple Google Photos Grid: from n/a through 1.5. | ||||
| CVE-2025-3749 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 6.4 Medium |
| The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-13812 | 1 Wordpress | 1 Wordpress | 2025-04-29 | 6.5 Medium |
| The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 5.4 Medium |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | ||||