Filtered by vendor Wordpress
Subscriptions
Total
9040 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62760 | 2 Buddypress, Wordpress | 2 Buddypress, Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8. | ||||
| CVE-2025-63000 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP for church Sermon Manager allows Stored XSS.This issue affects Sermon Manager: from n/a through 2.30.0. | ||||
| CVE-2025-13820 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet. | ||||
| CVE-2025-14627 | 2 Smackcoders, Wordpress | 4 An Ultimate Wordpress Importer Cum Migration As Csv \& Xml, Ultimate Csv Importer, Wp Ultimate Csv Importer and 1 more | 2026-01-05 | 6.4 Medium |
| The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform HTTP requests to arbitrary internal endpoints, including localhost, private IP ranges, and cloud metadata services (e.g., 169.254.169.254), potentially exposing sensitive internal data. | ||||
| CVE-2025-14428 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 4.3 Medium |
| The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin. | ||||
| CVE-2017-20207 | 3 Dan Coulter, Dancoulter, Wordpress | 3 Flickr Gallery, Flickr Gallery, Wordpress | 2026-01-05 | 9.8 Critical |
| The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors. | ||||
| CVE-2025-59003 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.8 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Inkthemescom Black Rider allows Retrieve Embedded Sensitive Data.This issue affects Black Rider: from n/a through 1.2.3. | ||||
| CVE-2025-14155 | 3 Elementor, Leap13, Wordpress | 4 Elementor, Premium Addons, Premium Addons For Elementor and 1 more | 2026-01-05 | 5.3 Medium |
| The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates. | ||||
| CVE-2025-14163 | 2 Leap13, Wordpress | 2 Premium Addons For Elementor, Wordpress | 2026-01-05 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link. | ||||
| CVE-2024-6719 | 2 Webgarh, Wordpress | 2 Offload Videos, Wordpress | 2026-01-05 | 8.1 High |
| The Offload Videos WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow low privilege users to update them via a CSRF attack | ||||
| CVE-2025-62138 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| Missing Authorization vulnerability in CedCommerce WP Advanced PDF allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through 1.1.7. | ||||
| CVE-2025-62134 | 2 Awplife, Wordpress | 2 Contact Form Widget, Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery.This issue affects Contact Form Widget: from n/a through 1.5.1. | ||||
| CVE-2025-62120 | 2 Rickbeckman, Wordpress | 2 Openhook, Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through 4.3.1. | ||||
| CVE-2025-62117 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through 1.1.1704. | ||||
| CVE-2025-62888 | 2 Marcomilesi, Wordpress | 2 Wp Attachments, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Marco Milesi WP Attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through 5.2. | ||||
| CVE-2025-62108 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in SaifuMak Add Custom Codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through 4.80. | ||||
| CVE-2025-62091 | 2 Vollstart, Wordpress | 2 Serial Codes Generator And Validator With Woocommerce Support, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Vollstart Serial Codes Generator and Validator with WooCommerce Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serial Codes Generator and Validator with WooCommerce Support: from n/a through 2.8.2. | ||||
| CVE-2025-62098 | 2 Totalsoft, Wordpress | 2 Portfolio Gallery, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in Totalsoft Portfolio Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through 1.4.8. | ||||
| CVE-2025-49349 | 2 Reuters News Agency, Wordpress | 2 Reuters Direct, Wordpress | 2026-01-05 | 5.3 Medium |
| Missing Authorization vulnerability in Reuters News Agency Reuters Direct allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reuters Direct: from n/a through 3.0.0. | ||||
| CVE-2024-4439 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 7.2 High |
| WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar. | ||||