Filtered by vendor Wordpress
Subscriptions
Total
7191 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54028 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Saleswonder Team Tobias CF7 WOW Styler allows PHP Local File Inclusion. This issue affects CF7 WOW Styler: from n/a through 1.7.2. | ||||
| CVE-2025-49424 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in diego.benna Essential Doo Components for Visual Composer allows DOM-Based XSS. This issue affects Essential Doo Components for Visual Composer: from n/a through 1.9. | ||||
| CVE-2025-53212 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Revolution Video Player With Bottom Playlist allows Reflected XSS. This issue affects Revolution Video Player With Bottom Playlist: from n/a through 2.9.2. | ||||
| CVE-2025-49381 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 9.6 Critical |
| Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect allows Cross Site Request Forgery. This issue affects ads.txt Guru Connect: from n/a through 1.1.1. | ||||
| CVE-2025-48297 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2025-08-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Link Directory allows Reflected XSS. This issue affects Simple Link Directory: from n/a through n/a. | ||||
| CVE-2025-53565 | 2 Radiustheme, Wordpress | 2 Widget For Google Reviews, Wordpress | 2025-08-21 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews allows PHP Local File Inclusion. This issue affects Widget for Google Reviews: from n/a through 1.0.15. | ||||
| CVE-2025-54017 | 2 Cozmoslabs, Wordpress | 2 Paid Member Subscriptions, Wordpress | 2025-08-21 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cozmoslabs Paid Member Subscriptions allows PHP Local File Inclusion. This issue affects Paid Member Subscriptions: from n/a through 2.15.4. | ||||
| CVE-2025-49428 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3. | ||||
| CVE-2025-49412 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in numixtech Page Transition allows Stored XSS. This issue affects Page Transition: from n/a through 1.3. | ||||
| CVE-2025-49406 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2025-08-21 | 5.3 Medium |
| Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1. | ||||
| CVE-2025-54055 | 1 Wordpress | 1 Wordpress | 2025-08-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Druco allows Reflected XSS. This issue affects Druco: from n/a through 1.5.2. | ||||
| CVE-2025-53194 | 2 Crocoblock, Wordpress | 2 Jetengine, Wordpress | 2025-08-21 | 8.5 High |
| Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection. This issue affects JetEngine: from n/a through 3.7.0. | ||||
| CVE-2022-21661 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-08-19 | 8 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability. | ||||
| CVE-2025-8293 | 1 Wordpress | 1 Wordpress | 2025-08-18 | 6.4 Medium |
| The Intl DateTime Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-49895 | 2 Ithemes, Wordpress | 2 Serverbuddy, Wordpress | 2025-08-18 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5. | ||||
| CVE-2025-8113 | 1 Wordpress | 1 Wordpress | 2025-08-18 | 6.1 Medium |
| The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | ||||
| CVE-2025-8089 | 2 Mdempfle, Wordpress | 2 Advanced Iframe, Wordpress | 2025-08-18 | 5.4 Medium |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in version less than, or equal to, 2025.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7664 | 2 Loword, Wordpress | 2 Al Pack, Wordpress | 2025-08-18 | 7.5 High |
| The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header. | ||||
| CVE-2025-7686 | 1 Wordpress | 1 Wordpress | 2025-08-18 | 6.1 Medium |
| The weichuncai(WP伪春菜) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-7683 | 2 Janyksteenbeek, Wordpress | 2 Latestcheckins, Wordpress | 2025-08-18 | 6.1 Medium |
| The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||