Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
4898 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7726 | 2 Dream-theme, Wordpress | 2 The7, Wordpress | 2025-08-12 | 6.4 Medium |
| The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7965 | 1 Wordpress | 1 Wordpress | 2025-08-12 | 4.3 Medium |
| The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | ||||
| CVE-2024-4361 | 2 Siteorigin, Wordpress | 2 Page Builder, Wordpress | 2025-08-12 | 6.4 Medium |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-54050 | 2 Cyberchimps, Wordpress | 2 Responsive Addons For Elementor, Wordpress | 2025-08-11 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Addons for Elementor allows Stored XSS. This issue affects Responsive Addons for Elementor: from n/a through 1.7.3. | ||||
| CVE-2025-4370 | 2 Brizy, Wordpress | 3 Brizy, Brizy-page Builder, Wordpress | 2025-08-11 | 5.3 Medium |
| The Brizy – Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | ||||
| CVE-2025-5084 | 2 Addonmaster, Wordpress | 2 Post Grid Master, Wordpress | 2025-08-11 | 6.1 Medium |
| The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘argsArray['read_more_text']’ parameter in all versions up to, and including, 3.4.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-26964 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter Eventin allows PHP Local File Inclusion. This issue affects Eventin: from n/a through 4.0.20. | ||||
| CVE-2024-39648 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5. | ||||
| CVE-2023-49756 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 5.4 Medium |
| Missing Authorization vulnerability in Themewinter Eventin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through 3.3.52. | ||||
| CVE-2024-56213 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 6.5 Medium |
| Path Traversal: '.../...//' vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.7. | ||||
| CVE-2024-12047 | 2 Wordpress, Wpcompress | 2 Wordpress, Wp Compress | 2025-08-11 | 6.1 Medium |
| The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-2780 | 3 Wofficeio, Wordpress, Xtendify | 3 Woffice Core, Wordpress, Woffice | 2025-08-08 | 8.8 High |
| The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-2797 | 3 Wofficeio, Wordpress, Xtendify | 3 Woffice Core, Wordpress, Woffice | 2025-08-08 | 5.4 Medium |
| The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-2807 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer\, Classifieds \& Listing, Wordpress | 2025-08-08 | 8.8 High |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-2808 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer\, Classifieds \& Listing, Wordpress | 2025-08-08 | 5.4 Medium |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3437 | 2 Stylemixthemes, Wordpress | 2 Motors - Car Dealer\, Classifieds \& Listing, Wordpress | 2025-08-08 | 4.3 Medium |
| The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions. | ||||
| CVE-2024-31308 | 2 Vjinfotech, Wordpress | 2 Wp Import Export Lite, Wordpress | 2025-08-08 | 4.4 Medium |
| Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26. | ||||
| CVE-2025-2839 | 2 Vjinfotech, Wordpress | 2 Wp Import Export Lite, Wordpress | 2025-08-07 | 6.4 Medium |
| The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2012-10025 | 2 Advanced Custom Fields, Wordpress | 2 Advanced Custom Fields Wordpress Plugin, Wordpress | 2025-08-07 | N/A |
| The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server’s context, allowing full compromise of the host. | ||||
| CVE-2012-10026 | 2 Asset-manager, Wordpress | 2 Asset-manager Wordpress Plugin, Wordpress | 2025-08-07 | N/A |
| The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server’s context. | ||||