Export limit exceeded: 351104 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12184 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-6238 | 2 Meowapps, Wordpress | 2 Ai Engine, Wordpress | 2025-08-13 | 8 High |
| The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5. | ||||
| CVE-2024-11205 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2025-08-12 | 8.5 High |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | ||||
| CVE-2024-39648 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-11 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themewinter Eventin allows Stored XSS.This issue affects Eventin: from n/a through 4.0.5. | ||||
| CVE-2025-5921 | 2 Brainstormforce, Wordpress | 2 Sureforms, Wordpress | 2025-08-06 | 5.8 Medium |
| The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users. | ||||
| CVE-2025-7504 | 2 Alex.kirk, Wordpress | 2 Friends, Wordpress | 2025-08-02 | 7.5 High |
| The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit. | ||||
| CVE-2025-2876 | 2 Melapress, Wordpress | 2 Melapress Login Security, Wordpress | 2025-07-17 | 5.3 Medium |
| The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user. | ||||
| CVE-2025-2942 | 2 Tychesoftwares, Wordpress | 2 Order Delivery Date For Woocommerce, Wordpress | 2025-07-17 | 4.3 Medium |
| The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information | ||||
| CVE-2025-6688 | 2 Idokd, Wordpress | 2 Simple Payment, Wordpress | 2025-07-13 | 9.8 Critical |
| The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users. | ||||
| CVE-2025-5194 | 2 Wordpress, Wp Map Block Project | 2 Wordpress, Wp Map Block | 2025-07-13 | 4.8 Medium |
| The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-37253 | 2 Wordpress, Wpdirectorykit | 2 Wordpress, Wp Directory Kit | 2025-07-13 | 2.7 Low |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in WpDirectoryKit WP Directory Kit allows Code Injection.This issue affects WP Directory Kit: from n/a through 1.3.6. | ||||
| CVE-2023-41955 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2025-07-12 | 8.8 High |
| Improper Privilege Management vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation.This issue affects Essential Addons for Elementor: from n/a through 5.8.8. | ||||
| CVE-2023-48318 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-07-12 | 5.3 Medium |
| Improper Restriction of Excessive Authentication Attempts vulnerability in CodePeople Contact Form Email allows Functionality Bypass.This issue affects Contact Form Email: from n/a through 1.3.41. | ||||
| CVE-2022-45374 | 2 Wordpress, Yarpp | 2 Wordpress, Yarpp | 2025-07-12 | 7.7 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in YARPP allows PHP Local File Inclusion.This issue affects YARPP: from n/a through 5.30.4. | ||||
| CVE-2024-38705 | 2 Elementinvader, Wordpress | 2 Elementinvader Addons For Elementor, Wordpress | 2025-07-12 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ElementInvader ElementInvader Addons for Elementor allows Stored XSS.This issue affects ElementInvader Addons for Elementor: from n/a through 1.2.4. | ||||
| CVE-2024-43133 | 2 Themify, Wordpress | 2 Themify Shortcodes, Wordpress | 2025-07-12 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify Shortcodes allows Stored XSS.This issue affects Themify Shortcodes: from n/a through 2.1.1. | ||||
| CVE-2023-28494 | 2 Codepeople, Wordpress | 2 Contact Form Email, Wordpress | 2025-07-12 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Contact Form Email allows Functionality Misuse.This issue affects Contact Form Email: from n/a through 1.3.31. | ||||
| CVE-2022-43504 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 5.3 Medium |
| Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post by Email Feature. The developer also provides new patched releases for all versions since 3.7. | ||||
| CVE-2022-43500 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 6.1 Medium |
| Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | ||||
| CVE-2022-43497 | 1 Wordpress | 1 Wordpress | 2025-04-24 | 6.1 Medium |
| Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. The developer also provides new patched releases for all versions since 3.7. | ||||
| CVE-2022-21664 | 3 Debian, Fedoraproject, Wordpress | 3 Debian Linux, Fedora, Wordpress | 2025-04-23 | 7.4 High |
| WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue. | ||||