Filtered by vendor Wordpress
Subscriptions
Total
7214 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12788 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2025-11-14 | 5.3 Medium |
| The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the tfhb_meeting_paypal_payment_confirmation_callback function without server-side verification with PayPal's API. This makes it possible for unauthenticated attackers to bypass payment requirements and confirm bookings as paid without any actual payment transaction occurring. | ||||
| CVE-2025-12846 | 2 Creativethemes, Wordpress | 2 Blocksy Companion, Wordpress | 2025-11-14 | 8.8 High |
| The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12901 | 2 Asgaros, Wordpress | 2 Asgaros Forum, Wordpress | 2025-11-14 | 4.3 Medium |
| The Asgaros Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing nonce validation on the set_subscription_level() function. This makes it possible for unauthenticated attackers to modify the subscription settings of authenticated users via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | ||||
| CVE-2025-12633 | 2 Stellarwp, Wordpress | 2 Booking Calendar, Wordpress | 2025-11-14 | 7.5 High |
| The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | ||||
| CVE-2025-12113 | 1 Wordpress | 1 Wordpress | 2025-11-14 | 4.3 Medium |
| The Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the atgai_delete_api_key() function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the API key connected to the site. | ||||
| CVE-2025-7663 | 2 Ovatheme, Wordpress | 2 Events Manager Plugin, Wordpress | 2025-11-13 | 6.5 Medium |
| The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more. | ||||
| CVE-2025-9587 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 8.6 High |
| The CTL Behance Importer Lite WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||||
| CVE-2025-9111 | 2 Quantumcloud, Wordpress | 2 Wpbot, Wordpress | 2025-11-13 | 3.5 Low |
| The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-8889 | 1 Wordpress | 2 Compress And Upload Plugin, Wordpress | 2025-11-13 | 3.8 Low |
| The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | ||||
| CVE-2025-8282 | 2 Sureforms, Wordpress | 2 Sureforms, Wordpress | 2025-11-13 | 3.5 Low |
| The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks. | ||||
| CVE-2024-5200 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 4.8 Medium |
| The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-49956 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anandaraj Balu Fade Slider fade-slider allows Reflected XSS.This issue affects Fade Slider: from n/a through <= 2.5. | ||||
| CVE-2025-49955 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rajan Vijayan WP Smart Flexslider wp-smart-flexslider allows Reflected XSS.This issue affects WP Smart Flexslider: from n/a through <= 2.5. | ||||
| CVE-2025-49952 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2025-11-13 | 6.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.1.1. | ||||
| CVE-2025-49951 | 2 Gappointments, Wordpress | 2 Gappointments, Wordpress | 2025-11-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcrunch gAppointments gAppointments allows Reflected XSS.This issue affects gAppointments: from n/a through <= 1.14.1. | ||||
| CVE-2025-49950 | 2 Official Integration For Billingo Project, Wordpress | 2 Official Integration For Billingo, Wordpress | 2025-11-13 | 7.3 High |
| Missing Authorization vulnerability in billingo Official Integration for Billingo billingo allows Privilege Escalation.This issue affects Official Integration for Billingo: from n/a through <= 4.2.5. | ||||
| CVE-2025-49949 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 5.5 Medium |
| Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2. | ||||
| CVE-2025-11855 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 7.5 High |
| The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. | ||||
| CVE-2025-11560 | 1 Wordpress | 1 Wordpress | 2025-11-13 | 4.8 Medium |
| The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins. | ||||
| CVE-2025-11307 | 2 Wordpress, Wpgmaps | 2 Wordpress, Wp Go Maps | 2025-11-13 | 8.8 High |
| The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped. | ||||