Export limit exceeded: 12287 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12287 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5970 | 2 Maxfoundry, Wordpress | 2 Maxgalleria, Wordpress | 2026-04-15 | 6.4 Medium |
| The MaxGalleria plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's maxgallery_thumb shortcode in all versions up to, and including, 6.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-37866 | 2 Crocoblock, Wordpress | 2 Jetformbuilder, Wordpress | 2026-04-15 | 7.2 High |
| Improper Privilege Management vulnerability in Crocoblock JetFormBuilder allows Privilege Escalation.This issue affects JetFormBuilder: from n/a through 3.0.8. | ||||
| CVE-2024-5892 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5878 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14616 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-69387 | 2 Whatwouldjessedo, Wordpress | 2 Simple Retail Menus, Wordpress | 2026-04-15 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in whatwouldjessedo Simple Retail Menus simple-retail-menus allows PHP Local File Inclusion.This issue affects Simple Retail Menus: from n/a through <= 4.2.1. | ||||
| CVE-2025-69384 | 2 Wordpress, Wpdiscover | 2 Wordpress, Timeline Event History | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2. | ||||
| CVE-2025-69374 | 2 Solverwp, Wordpress | 2 Eleblog – Elementor Blog And Magazine Addons, Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog – Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog – Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. | ||||
| CVE-2024-6321 | 2 Dwieeb, Wordpress | 2 Scroll To Bottom, Wordpress | 2026-04-15 | 8.8 High |
| The ScrollTo Bottom plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 1.1.1. This is due to missing nonce validation and missing file type validation in the 'options_page' function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2022-4974 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable. | ||||
| CVE-2025-58999 | 2 Loopus, Wordpress | 2 Wp Attractive Donations System, Wordpress | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Cross Site Request Forgery.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. | ||||
| CVE-2025-11363 | 3 Elementor, Royal-elementor-addons, Wordpress | 3 Elementor, Royal Elementor Addons, Wordpress | 2026-04-15 | 5.3 Medium |
| The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action. | ||||
| CVE-2024-5596 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation. | ||||
| CVE-2024-55864 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page. | ||||
| CVE-2025-0820 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Clicface Trombi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nom’ parameter in all versions up to, and including, 2.08 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5577 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version <= 1.1.1 via the WIW_HEADER parameter of the /system/include/include_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url_include to be set to true in order to exploit, which is not commonly enabled. | ||||
| CVE-2023-23988 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.5 High |
| Missing Authorization vulnerability in Joseph C Dolson My Tickets.This issue affects My Tickets: from n/a through 1.9.11. | ||||
| CVE-2024-6210 | 2 Snapcreek, Wordpress | 2 Duplicator, Wordpress | 2026-04-15 | 5.3 Medium |
| The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use. | ||||
| CVE-2025-67550 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rhewlif Donation Thermometer donation-thermometer allows Stored XSS.This issue affects Donation Thermometer: from n/a through <= 2.2.6. | ||||
| CVE-2025-66143 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crumber: from n/a through <= 1.0.10. | ||||