Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 8957 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-22713	2 Vanquish, Wordpress	2 Woocommerce Orders Customers Exporter, Wordpress	2026-01-09	9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
CVE-2025-67934	2 Mikado-themes, Wordpress	2 Wellspring, Wordpress	2026-01-09	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.
CVE-2025-67918	2 Wofficeio, Wordpress	2 Woffice Core, Wordpress	2026-01-09	6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30.
CVE-2025-68890	1 Wordpress	1 Wordpress	2026-01-09	6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4.
CVE-2025-68891	2 Ryan Sutana, Wordpress	2 Wp App Bar, Wordpress	2026-01-09	6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5.
CVE-2025-13504	2 E-plugins, Wordpress	2 Real Estate Pro, Wordpress	2026-01-09	6.1 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4.
CVE-2025-68867	2 Anibalwainstein, Wordpress	2 Effect Maker, Wordpress	2026-01-09	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anibalwainstein Effect Maker effect-maker allows DOM-Based XSS.This issue affects Effect Maker: from n/a through <= 1.2.1.
CVE-2025-14359	1 Wordpress	1 Wordpress	2026-01-09	9.8 Critical
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7.
CVE-2025-67936	2 Mikado-themes, Wordpress	2 Curly, Wordpress	2026-01-09	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.
CVE-2025-67921	1 Wordpress	1 Wordpress	2026-01-09	9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6.
CVE-2025-23993	1 Wordpress	1 Wordpress	2026-01-09	9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3.
CVE-2025-69169	2 Noor Alam, Wordpress	2 Easy Media Download, Wordpress	2026-01-09	N/A
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
CVE-2026-22522	1 Wordpress	1 Wordpress	2026-01-09	6.5 Medium
Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3.
CVE-2026-22521	1 Wordpress	1 Wordpress	2026-01-09	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.
CVE-2026-22518	2 Pencilwp, Wordpress	2 X Addons For Elementor, Wordpress	2026-01-09	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23.
CVE-2026-22487	1 Wordpress	1 Wordpress	2026-01-09	4.3 Medium
Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2.
CVE-2026-22517	2 Passionate Brains, Wordpress	2 Ga4wp, Wordpress	2026-01-09	5.4 Medium
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0.
CVE-2025-9318	2 Expresstech, Wordpress	2 Quiz And Survey Master, Wordpress	2026-01-09	6.5 Medium
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-22488	1 Wordpress	1 Wordpress	2026-01-09	5.3 Medium
Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welcome for Beaver Builder: from n/a through 1.0.8.
CVE-2026-22519	1 Wordpress	1 Wordpress	2026-01-09	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2.

« first previous Page 6 of 448. next last »