Wordpress CVEs and Security Vulnerabilities

Export limit exceeded: 351672 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (12314 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-27039	2 Aa-team, Wordpress	2 Wzone, Wordpress	2026-04-24	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team WZone woozone allows Blind SQL Injection.This issue affects WZone: from n/a through <= 14.0.31.
CVE-2026-27045	2 Sbthemes, Wordpress	2 Woocommerce Infinite Scroll, Wordpress	2026-04-24	8.8 High
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.
CVE-2026-32482	2 Deothemes, Wordpress	2 Ona, Wordpress	2026-04-24	9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.
CVE-2026-27075	2 Mikado-themes, Wordpress	2 Belfort, Wordpress	2026-04-24	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0.
CVE-2026-2231	2 Techjewel, Wordpress	2 Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution, Wordpress	2026-04-24	7.2 High
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-25382	2 Jwsthemes, Wordpress	2 Idealauto, Wordpress	2026-04-24	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6.
CVE-2026-25398	2 Webilia, Wordpress	2 Vertex Addons For Elementor, Wordpress	2026-04-24	6.5 Medium
Missing Authorization vulnerability in Webilia Inc. Vertex Addons for Elementor addons-for-elementor-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vertex Addons for Elementor: from n/a through <= 1.6.4.
CVE-2026-4331	2 Pr-gateway, Wordpress	2 Blog2social: Social Media Auto Post & Scheduler, Wordpress	2026-04-24	4.3 Medium
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
CVE-2026-32530	2 Wordpress, Wpfunnels	2 Wordpress, Creator Lms	2026-04-24	8.8 High
Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18.
CVE-2026-32523	2 Denishua, Wordpress	2 Wpjam Basic, Wordpress	2026-04-24	9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: from n/a through <= 6.9.2.
CVE-2026-32531	2 Gavias, Wordpress	2 Kunco, Wordpress	2026-04-24	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5.
CVE-2026-27049	2 Nootheme, Wordpress	2 Jobica Core, Wordpress	2026-04-24	9.8 Critical
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2.
CVE-2026-25413	2 Iqonicdesign, Wordpress	2 Wpbookit Pro, Wordpress	2026-04-24	9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in iqonicdesign WPBookit Pro wpbookit-pro allows Using Malicious Files.This issue affects WPBookit Pro: from n/a through <= 1.6.18.
CVE-2026-25456	2 Aarsiv Groups, Wordpress	2 Automated Fedex Live/manual Rates With Shipping Labels, Wordpress	2026-04-24	7.3 High
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9.
CVE-2026-31914	2 Hookandhook, Wordpress	2 Wp Courses Lms, Wordpress	2026-04-24	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
CVE-2026-25400	2 Thememount, Wordpress	2 Apicona, Wordpress	2026-04-24	8.8 High
Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.
CVE-2026-32502	2 Select-themes, Wordpress	2 Borgholm, Wordpress	2026-04-24	9.8 Critical
Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.
CVE-2026-27082	2 Themerex, Wordpress	2 Love Story, Wordpress	2026-04-24	9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.
CVE-2026-32512	2 Edge-themes, Wordpress	2 Pelicula, Wordpress	2026-04-24	9.8 Critical
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
CVE-2026-25462	2 Avalex, Wordpress	2 Avalex, Wordpress	2026-04-24	6.5 Medium
Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through <= 3.1.3.

« first previous Page 122 of 616. next last »