Filtered by vendor Wordpress
Subscriptions
Total
7191 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-7441 | 2 Storychief, Wordpress | 2 Storychief, Wordpress | 2025-08-18 | 9.8 Critical |
| The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-7651 | 2 Earnware, Wordpress | 2 Connect, Wordpress | 2025-08-18 | 6.4 Medium |
| The Earnware Connect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ew_hasrole' shortcode in all versions up to, and including, 1.0.73 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-7649 | 2 Surbma, Wordpress | 2 Recent Comments Shortcode, Wordpress | 2025-08-18 | 6.4 Medium |
| The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-6221 | 2 Luuptek, Wordpress | 2 Embed Bokun, Wordpress | 2025-08-18 | 6.4 Medium |
| The Embed Bokun plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8143 | 2 Pencidesign, Wordpress | 2 Soledad, Wordpress | 2025-08-18 | 6.4 Medium |
| The Soledad theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pcsml_smartlists_h’ parameter in all versions up to, and including, 8.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8142 | 2 Pencidesign, Wordpress | 2 Soledad, Wordpress | 2025-08-18 | 8.8 High |
| The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.6.7 via the 'header_layout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | ||||
| CVE-2025-8105 | 2 Pencidesign, Wordpress | 2 Soledad, Wordpress | 2025-08-18 | 7.3 High |
| The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2025-5998 | 2 Passwordprotectwp, Wordpress | 2 Password Protect Wordpress, Wordpress | 2025-08-18 | 6.5 Medium |
| The PPWP – Password Protect Pages WordPress plugin before version 1.9.11 allows to put the site content behind a password authorization, however users with subscriber or greater roles can view content via the REST API. | ||||
| CVE-2025-49898 | 1 Wordpress | 1 Wordpress | 2025-08-18 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14. | ||||
| CVE-2025-49432 | 1 Wordpress | 1 Wordpress | 2025-08-18 | 5.3 Medium |
| Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Video Player: from n/a through 10.1. | ||||
| CVE-2025-49897 | 2 Gopiplus, Wordpress | 2 Vertical Scroll Slideshow Gallery V2, Wordpress | 2025-08-18 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1. | ||||
| CVE-2025-54679 | 2 Vertim, Wordpress | 2 Neon Channel Product Customizer Free, Wordpress | 2025-08-16 | 7.5 High |
| Missing Authorization vulnerability in vertim Neon Channel Product Customizer Free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Neon Channel Product Customizer Free: from n/a through 2.0. | ||||
| CVE-2025-24766 | 2 Wordpress, Wp-royal-themes | 2 Wordpress, News Magazine X | 2025-08-16 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Royal Themes News Magazine X allows PHP Local File Inclusion. This issue affects News Magazine X: from n/a through 1.2.37. | ||||
| CVE-2025-54704 | 3 Elementor, Hashthemes, Wordpress | 3 Elementor, Easy Elementor Addons, Wordpress | 2025-08-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hashthemes Easy Elementor Addons allows DOM-Based XSS. This issue affects Easy Elementor Addons: from n/a through 2.2.6. | ||||
| CVE-2025-30635 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-08-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro allows PHP Local File Inclusion. This issue affects IDonatePro: from n/a through 2.1.9. | ||||
| CVE-2025-30639 | 2 Themeatelier, Wordpress | 2 Idonate, Wordpress | 2025-08-16 | 7.5 High |
| Missing Authorization vulnerability in ThemeAtelier IDonatePro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects IDonatePro: from n/a through 2.1.9. | ||||
| CVE-2025-54691 | 2 Stylemix, Wordpress | 2 Motors, Wordpress | 2025-08-16 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80. | ||||
| CVE-2025-54699 | 2 Masteriyo, Wordpress | 2 Masteriyo, Wordpress | 2025-08-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in masteriyo Masteriyo - LMS allows Stored XSS. This issue affects Masteriyo - LMS: from n/a through 1.18.3. | ||||
| CVE-2025-52775 | 2 Ronik Unlimitedwp, Wordpress | 2 Project Cost Calculator, Wordpress | 2025-08-16 | 7.1 High |
| Missing Authorization vulnerability in Ronik@UnlimitedWP Project Cost Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Project Cost Calculator: from n/a through 1.0.0. | ||||
| CVE-2025-49038 | 2 Soflyy, Wordpress | 2 Wp Dynamic Links, Wordpress | 2025-08-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links allows Reflected XSS. This issue affects WP Dynamic Links: from n/a through 1.0.1. | ||||