Filtered by vendor Wordpress
Subscriptions
Total
8291 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-66074 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through <= 3.3.8. | ||||
| CVE-2025-66102 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 7.5 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FolioVision FV Antispam fv-antispam allows Reflected XSS.This issue affects FV Antispam: from n/a through <= 2.7. | ||||
| CVE-2025-14364 | 2 Kraftplugins, Wordpress | 2 Demo Importer Plus, Wordpress | 2025-12-19 | 8.8 High |
| The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account. | ||||
| CVE-2025-13730 | 2 Daggerhartlab, Wordpress | 2 Openid Connect Generic Client, Wordpress | 2025-12-19 | 6.4 Medium |
| The OpenID Connect Generic Client plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'openid_connect_generic_auth_url' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-66088 | 2 Propertyhive, Wordpress | 2 Propertyhive, Wordpress | 2025-12-19 | 7.5 High |
| Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12. | ||||
| CVE-2025-66117 | 2 Ays-pro, Wordpress | 2 Easy Form, Wordpress | 2025-12-19 | 7.5 High |
| Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8. | ||||
| CVE-2025-66119 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.9. | ||||
| CVE-2025-66054 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2025-12-19 | 7.5 High |
| Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4. | ||||
| CVE-2025-66116 | 2 Userelements, Wordpress | 2 Ultimate Member Widgets For Elementor, Wordpress | 2025-12-19 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3. | ||||
| CVE-2025-64378 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 7.5 High |
| Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10. | ||||
| CVE-2025-13641 | 2 Smub, Wordpress | 2 Nextgen Gallery, Wordpress | 2025-12-19 | 8.8 High |
| The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities. | ||||
| CVE-2025-66070 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 7.5 High |
| Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10. | ||||
| CVE-2025-67546 | 2 Wedevs, Wordpress | 2 Wp Erp, Wordpress | 2025-12-19 | 6.5 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6. | ||||
| CVE-2025-66100 | 2 Magnigenie, Wordpress | 2 Restropress, Wordpress | 2025-12-19 | 6.5 Medium |
| Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5. | ||||
| CVE-2025-66078 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 9.1 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3. | ||||
| CVE-2025-66104 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 6.5 Medium |
| Missing Authorization vulnerability in Anton Vanyukov Offload, AI & Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI & Optimize with Cloudflare Images: from n/a through <= 1.9.5. | ||||
| CVE-2025-66118 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Reflected XSS.This issue affects Sprout Clients: from n/a through <= 3.2.1. | ||||
| CVE-2025-14277 | 3 Bdthemes, Elementor, Wordpress | 3 Prime Slider, Elementor, Wordpress | 2025-12-19 | 4.3 Medium |
| The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.9 via the import_elementor_template AJAX action. This makes it possible for authenticated attackers, with subscriber level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-13110 | 2 Realmag777, Wordpress | 2 Huskys Products Filter Professional For Woocommerce, Wordpress | 2025-12-19 | 4.3 Medium |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators. | ||||
| CVE-2025-14618 | 1 Wordpress | 1 Wordpress | 2025-12-19 | 4.3 Medium |
| The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs. | ||||