Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
7181 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12827 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 4.3 Medium |
| The Top Friends plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing nonce validation on the top_friends_options_subpanel() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-64195 | 2 Thimpress, Wordpress | 2 Eduma, Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion.This issue affects Eduma: from n/a through <= 5.7.6. | ||||
| CVE-2025-64197 | 2 Sizam Design, Wordpress | 2 Rehub, Wordpress | 2025-11-18 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam Rehub rehub-theme allows Stored XSS.This issue affects Rehub: from n/a through < 19.9.9.1. | ||||
| CVE-2025-64199 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 5.3 Medium |
| Missing Authorization vulnerability in WpEstate wpresidence wpresidence allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpresidence: from n/a through <= 5.3.2. | ||||
| CVE-2025-60197 | 2 Owenr88, Wordpress | 2 Simple Contact Forms, Wordpress | 2025-11-18 | 8.2 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in owenr88 Simple Contact Forms simple-contact-forms allows PHP Local File Inclusion.This issue affects Simple Contact Forms: from n/a through <= 1.6.4. | ||||
| CVE-2025-60199 | 2 Dedalx, Wordpress | 2 Inhype, Wordpress | 2025-11-18 | 8.2 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File Inclusion.This issue affects InHype - Blog & Magazine WordPress Theme: from n/a through <= 1.5.2. | ||||
| CVE-2025-60200 | 2 Thimpress, Wordpress | 2 Learnpress Export Import, Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows PHP Local File Inclusion.This issue affects LearnPress Export Import: from n/a through <= 4.0.9. | ||||
| CVE-2025-60201 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aguilatechnologies WP Customer Area customer-area allows PHP Local File Inclusion.This issue affects WP Customer Area: from n/a through <= 8.2.7. | ||||
| CVE-2025-60202 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kyle Phillips Favorites favorites allows PHP Local File Inclusion.This issue affects Favorites: from n/a through <= 2.3.6. | ||||
| CVE-2025-60203 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach Store Exporter woocommerce-exporter allows PHP Local File Inclusion.This issue affects Store Exporter: from n/a through <= 2.7.6. | ||||
| CVE-2025-60204 | 3 Josh Kohlbach, Woocommerce, Wordpress | 3 Woocommerce Store Toolkit, Woocommerce, Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3. | ||||
| CVE-2025-8605 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The Gutenify – Visual Site Builder Blocks & Site Templates. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12937 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.5 Medium |
| The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages. | ||||
| CVE-2025-8609 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11868 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 6.4 Medium |
| The everviz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `everviz` shortcode attributes in versions up to, and including, 1.1. This is due to the plugin not properly sanitizing user input or escaping output when building a `<div id=...>` from the `type` and `hash` attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12182 | 2 Qodeinteractive, Wordpress | 2 Qi Blocks, Wordpress | 2025-11-18 | 4.3 Medium |
| The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachment. This makes it possible for authenticated attackers, with Contributor-level access and above, to resize arbitrary media library images belonging to other users, which can result in unintended file writes, disk consumption, and server resource abuse through processing of large images. | ||||
| CVE-2025-8994 | 2 Wedevs, Wordpress | 2 Wp Project Manager, Wordpress | 2025-11-18 | 6.5 Medium |
| The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More – WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘completed_at_operator’ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-12494 | 2 Wordpress, Wpchill | 2 Wordpress, Image Photo Gallery Final Tiles Grid | 2025-11-18 | 4.3 Medium |
| The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-level access and above, to move arbitrary image files on the server. | ||||
| CVE-2025-12847 | 2 Smub, Wordpress | 2 All In One Seo, Wordpress | 2025-11-18 | 4.3 Medium |
| The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs. | ||||
| CVE-2025-12482 | 1 Wordpress | 1 Wordpress | 2025-11-18 | 7.5 High |
| The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 1.2.35 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||