Filtered by vendor Wordpress
Subscriptions
Total
9040 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53449 | 2 Axiomthemes, Wordpress | 2 Convex, Wordpress | 2026-01-05 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11. | ||||
| CVE-2025-53448 | 2 Axiomthemes, Wordpress | 2 Rally, Wordpress | 2026-01-05 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1. | ||||
| CVE-2025-69032 | 2 Mikado-themes, Wordpress | 2 Fivestar, Wordpress | 2026-01-05 | 5.4 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7. | ||||
| CVE-2025-68603 | 2 Marketing Fire, Wordpress | 2 Editorial Calendar, Wordpress | 2026-01-05 | 8.1 High |
| Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editorial Calendar: from n/a through <= 3.8.8. | ||||
| CVE-2025-68600 | 2 Wordpress, Ylefebvre | 2 Wordpress, Link Library | 2026-01-05 | 9.1 Critical |
| Server-Side Request Forgery (SSRF) vulnerability in Yannick Lefebvre Link Library link-library allows Server Side Request Forgery.This issue affects Link Library: from n/a through <= 7.8.4. | ||||
| CVE-2025-68605 | 2 Pickplugins, Wordpress | 2 Post Grid, Wordpress | 2026-01-05 | 5.4 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Post Grid and Gutenberg Blocks post-grid allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through <= 2.3.18. | ||||
| CVE-2025-68602 | 2 Scott Paterson, Wordpress | 2 Accept Donations With Paypal, Wordpress | 2026-01-05 | 6.1 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal easy-paypal-donation allows Phishing.This issue affects Accept Donations with PayPal: from n/a through <= 1.5.1. | ||||
| CVE-2023-41656 | 3 Elementor, Wordpress, Wpdive | 3 Elementor, Wordpress, Better Addons For Elementor | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7. | ||||
| CVE-2025-68562 | 2 Romancode, Wordpress | 2 Mapsvg, Wordpress | 2026-01-05 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3. | ||||
| CVE-2025-68036 | 2 Emraan Cheema, Wordpress | 2 Cubewp, Wordpress | 2026-01-05 | 7.5 High |
| Missing Authorization vulnerability in Emraan Cheema CubeWP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through 1.1.27. | ||||
| CVE-2025-68860 | 2 Mobile Builder, Wordpress | 2 Mobile Builder, Wordpress | 2026-01-05 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Mobile Builder Mobile builder allows Authentication Abuse.This issue affects Mobile builder: from n/a through 1.4.2. | ||||
| CVE-2023-32238 | 3 Codexthemes, Elementor, Wordpress | 3 Thegem, Elementor, Wordpress | 2026-01-05 | 5.4 Medium |
| Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. | ||||
| CVE-2025-14509 | 3 Villatheme, Woocommerce, Wordpress | 3 Lucky Wheel For Woocommerce, Woocommerce, Wordpress | 2026-01-05 | 7.2 High |
| The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. | ||||
| CVE-2025-66153 | 2 Merkulove, Wordpress | 2 Headinger For Elementor, Wordpress | 2026-01-05 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Headinger for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headinger for Elementor: from n/a through 1.1.4. | ||||
| CVE-2025-68503 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Missing Authorization vulnerability in Crocoblock JetBlog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through 2.4.7. | ||||
| CVE-2025-68502 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through 2.0.20.1. | ||||
| CVE-2025-14280 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite, Wordpress | 2026-01-05 | 5.3 Medium |
| The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1. | ||||
| CVE-2025-13592 | 2 Monetizemore, Wordpress | 2 Advanced Ads, Wordpress | 2026-01-05 | 7.2 High |
| The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. | ||||
| CVE-2025-68504 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows DOM-Based XSS.This issue affects JetSearch: from n/a through 3.5.16. | ||||
| CVE-2025-68498 | 2 Crocoblock, Wordpress | 2 Jettabs, Wordpress | 2026-01-05 | 6.5 Medium |
| Missing Authorization vulnerability in Crocoblock JetTabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through 2.2.12. | ||||