Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
5133 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-47667 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in qusupport LiveAgent allows Cross Site Request Forgery. This issue affects LiveAgent: from n/a through 4.4.7. | ||||
| CVE-2025-47591 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 4.3 Medium |
| Missing Authorization vulnerability in CreedAlly Bulk Featured Image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Featured Image: from n/a through 1.2.1. | ||||
| CVE-2025-47662 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woobox Woobox allows Stored XSS. This issue affects Woobox: from n/a through 1.6. | ||||
| CVE-2025-47620 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in bundgaard Martins Free Monetized Ad Exchange Network allows Reflected XSS. This issue affects Martins Free Monetized Ad Exchange Network: from n/a through 1.0.5. | ||||
| CVE-2025-47551 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ctltwp Wiki Embed allows Cross Site Request Forgery. This issue affects Wiki Embed: from n/a through 1.4.6. | ||||
| CVE-2025-47615 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flowdee Amazon Product in a Post allows Stored XSS. This issue affects Amazon Product in a Post: from n/a through 5.2.2. | ||||
| CVE-2025-47653 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in tggfref WP-Recall allows PHP Local File Inclusion. This issue affects WP-Recall: from n/a through 16.26.14. | ||||
| CVE-2025-47676 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faiyaz Alam User Login History allows Stored XSS. This issue affects User Login History: from n/a through 2.1.6. | ||||
| CVE-2025-47590 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in John Dagelmore WPSpeed allows Cross Site Request Forgery. This issue affects WPSpeed: from n/a through 2.6.5. | ||||
| CVE-2025-47657 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce allows SQL Injection. This issue affects Productive Commerce: from n/a through 1.1.22. | ||||
| CVE-2025-47604 | 2 Data443, Wordpress | 2 Inline Related Posts, Wordpress | 2025-05-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Data443 Risk Migitation, Inc. Inline Related Posts allows Stored XSS. This issue affects Inline Related Posts: from n/a through 3.8.0. | ||||
| CVE-2025-47685 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Moloni Contribuinte Checkout allows Stored XSS. This issue affects Contribuinte Checkout: from n/a through 2.0.02. | ||||
| CVE-2025-47668 | 1 Wordpress | 1 Wordpress | 2025-05-08 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cookiecode CookieCode allows Stored XSS. This issue affects CookieCode: from n/a through 2.4.4. | ||||
| CVE-2025-3609 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 5.3 Medium |
| The Reales WP STPT plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 2.1.2. This is due to the 'reales_user_signup_form' AJAX action not verifying if user registration is enabled, prior to registering a user. This makes it possible for unauthenticated attackers to create new user accounts, which can be leveraged with CVE-XX to achieve privilege escalation. | ||||
| CVE-2025-2802 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 7.3 High |
| The LayoutBoxx plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.3.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2025-3610 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 8.8 High |
| The Reales WP STPT plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.1.2. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords and email addresses, including administrators, and leverage that to gain access to their account. This can be combined with CVE-2025-3609 to achieve remote code execution as an originally unauthenticated user with no account. | ||||
| CVE-2025-4055 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 6.4 Medium |
| The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3853 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 6.5 Medium |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users. | ||||
| CVE-2025-3852 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 8.8 High |
| The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | ||||
| CVE-2025-3860 | 1 Wordpress | 1 Wordpress | 2025-05-07 | 6.4 Medium |
| The CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.7.2504.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||