Filtered by vendor Wordpress
Subscriptions
Total
8371 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-60060 | 2 Axiomthemes, Wordpress | 2 Pubzinne, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pubzinne pubzinne allows PHP Local File Inclusion.This issue affects Pubzinne: from n/a through <= 1.0.12. | ||||
| CVE-2025-60059 | 2 Axiomthemes, Wordpress | 2 Smartseo, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.12. | ||||
| CVE-2025-58950 | 2 Axiomthemes, Wordpress | 2 Lione, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lione lione allows PHP Local File Inclusion.This issue affects Lione: from n/a through <= 1.16. | ||||
| CVE-2025-58949 | 2 Axiomthemes, Wordpress | 2 Spock, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17. | ||||
| CVE-2025-60067 | 2 Axiomthemes, Wordpress | 2 Giardino, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10. | ||||
| CVE-2025-60066 | 2 Axiomthemes, Wordpress | 2 Katelyn, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10. | ||||
| CVE-2025-60064 | 2 Axiomthemes, Wordpress | 2 Renewal, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Renewal renewal allows PHP Local File Inclusion.This issue affects Renewal: from n/a through <= 1.2.2. | ||||
| CVE-2025-60063 | 2 Axiomthemes, Wordpress | 2 Rosalinda, Wordpress | 2025-12-23 | 8.2 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion.This issue affects Rosalinda: from n/a through <= 1.2.3. | ||||
| CVE-2025-60065 | 2 Axiomthemes, Wordpress | 2 Pinevale, Wordpress | 2025-12-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pinevale pinevale allows PHP Local File Inclusion.This issue affects Pinevale: from n/a through <= 1.0.14. | ||||
| CVE-2025-9083 | 2 Ninjaforms, Wordpress | 2 Ninja Forms, Wordpress | 2025-12-23 | 9.8 Critical |
| The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | ||||
| CVE-2025-10498 | 2 Ninjaforms, Wordpress | 2 Ninja Forms, Wordpress | 2025-12-23 | 4.3 Medium |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation when exporting CSV files. This makes it possible for unauthenticated attackers to delete those files granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-10499 | 2 Ninjaforms, Wordpress | 2 Ninja Forms, Wordpress | 2025-12-23 | 4.3 Medium |
| The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or incorrect nonce validation on the maybe_opt_in() function. This makes it possible for unauthenticated attackers to opt an affected site into usage statistics collection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2019-25216 | 2 Starfish, Wordpress | 2 Rich Review, Wordpress | 2025-12-23 | 7.2 High |
| The Rich Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the POST body 'update' parameter in versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2017-20206 | 2 Wordpress, Wpmudev | 2 Wordpress, Appointments | 2025-12-23 | 9.8 Critical |
| The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerability with the WP_Theme() class to create backdoors. | ||||
| CVE-2015-10133 | 2 Markjaquith, Wordpress | 2 Subscribe To Comments, Wordpress | 2025-12-23 | 7.2 High |
| The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code. | ||||
| CVE-2020-36849 | 2 Ait-themes, Wordpress | 2 Ait Cvs Import Export, Wordpress | 2025-12-23 | 9.8 Critical |
| The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | ||||
| CVE-2025-60131 | 1 Wordpress | 1 Wordpress | 2025-12-23 | 5.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoefff Werk aan de Muur werk-aan-de-muur allows Stored XSS.This issue affects Werk aan de Muur: from n/a through <= 1.5. | ||||
| CVE-2025-7782 | 2 Wordpress, Wp-jobhunt Project | 2 Wordpress, Wp-jobhunt | 2025-12-23 | 7.6 High |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attackers, with Candidate-level access and above, to inject cross-site scripting into the 'status' parameter of applied jobs for any user. | ||||
| CVE-2025-7733 | 2 Wordpress, Wp-jobhunt Project | 2 Wordpress, Wp-jobhunt | 2025-12-23 | 4.3 Medium |
| The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user. | ||||
| CVE-2025-14298 | 3 Fibosearch, Woocommerce, Wordpress | 3 Fibosearch, Woocommerce, Wordpress | 2025-12-23 | 5.4 Medium |
| The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires TheGem theme (premium) to be installed with Header Builder mode enabled, and the FiboSearch "Replace search bars" option enabled for TheGem integration. | ||||