Export limit exceeded: 12184 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12184 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22183 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 6.1 Medium |
| wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfiltered_html capabilities can inject JavaScript directly through comment content rendered in the AJAX response from the getLastInlineComments() function in class.WpdiscuzHelperAjax.php without proper HTML escaping. | ||||
| CVE-2026-22193 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 8.1 High |
| wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information. | ||||
| CVE-2026-22201 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 5.3 Medium |
| wpDiscuz before 7.6.47 contains an IP spoofing vulnerability in the getIP() function that allows attackers to bypass IP-based rate limiting and ban enforcement by trusting untrusted HTTP headers. Attackers can set HTTP_CLIENT_IP or HTTP_X_FORWARDED_FOR headers to spoof their IP address and circumvent security controls. | ||||
| CVE-2026-22202 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 8.1 High |
| wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability that allows attackers to delete all comments associated with an email address by crafting a malicious GET request with a valid HMAC key. Attackers can embed the deletecomments action URL in image tags or other resources to trigger permanent deletion of comments without user confirmation or POST-based CSRF protection. | ||||
| CVE-2026-22203 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 4.9 Medium |
| wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret, and other social login credentials from support tickets, backups, or version control repositories. | ||||
| CVE-2026-22204 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 3.7 Low |
| wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment_author_email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode() and passed to wp_mail() functions, enables header injection to alter email recipients or inject additional headers. | ||||
| CVE-2026-22210 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 4.4 Medium |
| wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments. | ||||
| CVE-2026-22215 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 4.3 Medium |
| wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers can craft malicious requests to enumerate follow relationships and manipulate user follow data by exploiting the missing CSRF protection in the follows page handler. | ||||
| CVE-2026-22216 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 6.5 Medium |
| wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts. | ||||
| CVE-2023-47663 | 1 Wordpress | 1 Wordpress | 2026-03-18 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-8280 | 2 Iambriansreed, Wordpress | 2 Contact Form 7 Recaptcha, Wordpress | 2026-03-16 | 5.8 Medium |
| The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | ||||
| CVE-2026-25412 | 2 Mdempfle, Wordpress | 2 Advanced Iframe, Wordpress | 2026-02-24 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | ||||
| CVE-2025-7808 | 2 Fahadmahmood, Wordpress | 2 External Store For Shopify, Wordpress | 2026-02-20 | 6.1 Medium |
| The WP Shopify WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-8085 | 2 Metaphorcreations, Wordpress | 2 Ditty, Wordpress | 2026-02-09 | 8.6 High |
| The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. | ||||
| CVE-2026-24602 | 2 Raptive, Wordpress | 2 Raptive Ads, Wordpress | 2026-02-04 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This is a false positive. According to the vendor, the function identified as a vulnerability is intentional and part of the expected design. | ||||
| CVE-2025-8889 | 2 Eliehanna, Wordpress | 3 Compress And Upload Plugin, Compress And Upload Plugin, Wordpress | 2026-01-30 | 3.8 Low |
| The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | ||||
| CVE-2022-47425 | 2 Reputeinfosystems, Wordpress | 2 Armember, Wordpress | 2026-01-30 | 4.3 Medium |
| Missing Authorization vulnerability in Repute Infosystems ARMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember: from n/a through 3.4.10. | ||||
| CVE-2025-8113 | 2 Shopfiles, Wordpress | 2 Ebook Store, Wordpress | 2026-01-27 | 6.1 Medium |
| The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | ||||
| CVE-2024-43227 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Betterdocs | 2026-01-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPDeveloper BetterDocs allows Stored XSS.This issue affects BetterDocs: from n/a through 3.5.8. | ||||
| CVE-2023-47788 | 2 Automattic, Wordpress | 2 Jetpack, Wordpress | 2026-01-23 | 4.3 Medium |
| Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7. | ||||