Export limit exceeded: 342110 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342110 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0829 | 2 Frontend File Manager Plugin, Wordpress | 2 Frontend File Manager Plugin, Wordpress | 2026-04-02 | 5.8 Medium |
| The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information. | ||||
| CVE-2025-9544 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.5 Medium |
| The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1). | ||||
| CVE-2025-6027 | 2 Acewebx, Wordpress | 2 Ace User Management, Wordpress | 2026-04-02 | 6.3 Medium |
| The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators. | ||||
| CVE-2025-15491 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.5 Medium |
| The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | ||||
| CVE-2025-15445 | 2 Restaurant Cafeteria, Wordpress | 2 Restaurant Cafeteria, Wordpress | 2026-04-02 | 5.4 Medium |
| The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings. | ||||
| CVE-2025-14892 | 2 Prime Listing Manager, Wordpress | 2 Prime Listing Manager, Wordpress | 2026-04-02 | 9.8 Critical |
| The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. | ||||
| CVE-2025-14829 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 9.1 Critical |
| The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-14316 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14313 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14312 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-13471 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | ||||
| CVE-2025-13071 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13070 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.6 Medium |
| The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. | ||||
| CVE-2025-13001 | 2 Kieranoshea, Wordpress | 2 Donations, Wordpress | 2026-04-02 | 4.1 Medium |
| The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | ||||
| CVE-2025-13000 | 2 Jimbob1953, Wordpress | 2 Db-access, Wordpress | 2026-04-02 | 7.7 High |
| The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | ||||
| CVE-2025-12820 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them. | ||||
| CVE-2025-12696 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them | ||||
| CVE-2025-12685 | 3 Iqonic, Iqonicdesign, Wordpress | 3 Wpbookit, Wpbookit, Wordpress | 2026-04-02 | 6.5 Medium |
| The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | ||||
| CVE-2025-12629 | 2 K-78, Wordpress | 2 Broken Link Manager, Wordpress | 2026-04-02 | 7.1 High |
| The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-12573 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.5 Medium |
| The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | ||||