Export limit exceeded: 12196 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12196 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-0872 | 2 Kibokolabs, Wordpress | 2 Watu Quiz, Wordpress | 2026-04-08 | 4.3 Medium |
| The Watu Quiz plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.1 via the watu-userinfo shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive user meta data which can include session tokens and user emails. | ||||
| CVE-2024-0590 | 2 Microsoft, Wordpress | 2 Clarity, Wordpress | 2026-04-08 | 6.1 Medium |
| The Microsoft Clarity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the edit_clarity_project_id() function. This makes it possible for unauthenticated attackers to change the project id and add malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-5663 | 2 Storeapps, Wordpress | 2 News Announcement Scroll, Wordpress | 2026-04-08 | 8.8 High |
| The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2023-2745 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.4 Medium |
| WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. | ||||
| CVE-2024-8914 | 1 Wordpress | 2 Thanh Toan Quet Ma Qr Code Tu Dong, Wordpress | 2026-04-08 | 7.2 High |
| The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3991 | 2 Hasthemes, Wordpress | 3 Shoplentor, Shoplentor, Wordpress | 2026-04-08 | 6.4 Medium |
| The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute in the Horizontal Product Filter in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-3063 | 2 Wordpress, Wpbean | 2 Wordpress, Wpb Elementor Addons | 2026-04-08 | 6.4 Medium |
| The WPB Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the output of 'tags' added to widgets in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied tag attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2964 | 2 Logicore, Wordpress | 2 Pocket News Generator, Wordpress | 2026-04-08 | 5.4 Medium |
| The Pocket News Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.0. This is due to missing or incorrect nonce validation on the option_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-2513 | 2 Ninjateam, Wordpress | 2 Wp Chat App, Wordpress | 2026-04-08 | 6.4 Medium |
| The WP Chat App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageAlt' block attribute in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2308 | 2 Elementinvader, Wordpress | 2 Elementinvader Addons For Elementor, Wordpress | 2026-04-08 | 6.4 Medium |
| The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link in the EliSlider in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-1566 | 3 Declaire, Mattdeclaire, Wordpress | 3 Redirects, Redirects, Wordpress | 2026-04-08 | 6.5 Medium |
| The Redirects plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to change redirects created with this plugin. This could lead to undesired redirection to phishing sites or malicious web pages. | ||||
| CVE-2024-1472 | 2 Restezconnectes, Wordpress | 2 Wp Maintenance, Wordpress | 2026-04-08 | 5.3 Medium |
| The WP Maintenance plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.1.6 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's maintenance mode obtain post and page content via REST API. | ||||
| CVE-2024-1341 | 2 Tinywebgallery, Wordpress | 2 Advanced Iframe, Wordpress | 2026-04-08 | 4.9 Medium |
| The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advanced_iframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additional_js attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-1340 | 2 Webfactoryltd, Wordpress | 2 Wp Login Lockdown, Wordpress | 2026-04-08 | 5.4 Medium |
| The Login Lockdown – Protect Login Form plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the generate_export_file function in all versions up to, and including, 2.08. This makes it possible for authenticated attackers, with subscriber access and higher, to export this plugin's settings that include whitelisted IP addresses as well as a global unlock key. With the global unlock key an attacker can add their IP address to the whitelist. | ||||
| CVE-2024-13719 | 2 Pepro, Wordpress | 2 Peprodev Ultimate Invoice, Wordpress | 2026-04-08 | 5.3 Medium |
| The PeproDev Ultimate Invoice plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.9 via the invoicing viewer due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view invoices for completed orders which can contain PII of users. | ||||
| CVE-2024-13716 | 2 Tarbor, Wordpress | 2 Forex Calculators, Wordpress | 2026-04-08 | 4.3 Medium |
| The Forex Calculators plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_settings_callback() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | ||||
| CVE-2024-12410 | 2 Etoilewebdesign, Wordpress | 2 Front End Users, Wordpress | 2026-04-08 | 4.9 Medium |
| The Front End Users plugin for WordPress is vulnerable to SQL Injection via the 'UserSearchField' parameter in all versions up to, and including, 3.2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-12262 | 2 Shopfiles, Wordpress | 2 Ebook Store, Wordpress | 2026-04-08 | 6.1 Medium |
| The Ebook Store plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'step' parameter in all versions up to, and including, 5.8001 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-0978 | 2 Wordpress, Zatzlabs | 2 Wordpress, My Private Site | 2026-04-08 | 5.3 Medium |
| The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's site privacy feature and view restricted page and post content. | ||||
| CVE-2024-13679 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Widget BUY.BOX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buybox-widget' shortcode in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||