Filtered by vendor Wordpress
Subscriptions
Total
10374 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22381 | 2 Mikado-themes, Wordpress | 2 Pawfriends - Pet Shop And Veterinary Wordpress Theme, Wordpress | 2026-02-23 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows PHP Local File Inclusion.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | ||||
| CVE-2026-22383 | 2 Mikado-themes, Wordpress | 2 Pawfriends - Pet Shop And Veterinary Wordpress Theme, Wordpress | 2026-02-23 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | ||||
| CVE-2026-22384 | 2 Leafcolor, Wordpress | 2 Applay - Shortcodes, Wordpress | 2026-02-23 | N/A |
| Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7. | ||||
| CVE-2026-24941 | 2 Wordpress, Wpjobportal | 2 Wordpress, Wp Job Portal | 2026-02-23 | 7.5 High |
| Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4. | ||||
| CVE-2026-24944 | 2 Wedevs, Wordpress | 2 Subscribe2, Wordpress | 2026-02-23 | 6.5 Medium |
| Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44. | ||||
| CVE-2026-24948 | 2 Fox-themes, Wordpress | 2 Reflector, Wordpress | 2026-02-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2. | ||||
| CVE-2026-24950 | 2 Themeplugs, Wordpress | 2 Authorsy, Wordpress | 2026-02-23 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through <= 1.0.6. | ||||
| CVE-2026-24955 | 2 Fox-themes, Wordpress | 2 Whizz Plugins, Wordpress | 2026-02-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9. | ||||
| CVE-2026-24959 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-02-23 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1. | ||||
| CVE-2026-1461 | 2 Wordpress, Wpinsider-1 | 2 Wordpress, Simple Membership | 2026-02-20 | 6.5 Medium |
| The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption. | ||||
| CVE-2026-2716 | 2 Amu02aftab, Wordpress | 2 Client Testimonial Slider, Wordpress | 2026-02-20 | 4.4 Medium |
| The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2718 | 2 Dealia, Wordpress | 2 Dealia – Request A Quote, Wordpress | 2026-02-20 | 6.4 Medium |
| The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1219 | 2 Sonaar, Wordpress | 2 Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar, Wordpress | 2026-02-20 | 5.3 Medium |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts. | ||||
| CVE-2026-27387 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-02-20 | 5.4 Medium |
| Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.26. | ||||
| CVE-2026-27360 | 2 10web, Wordpress | 2 Photo Gallery, Wordpress | 2026-02-20 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37. | ||||
| CVE-2026-27058 | 2 Pencidesign, Wordpress | 2 Penci Podcast, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7. | ||||
| CVE-2026-27055 | 2 Pencidesign, Wordpress | 2 Penci Ai Smartcontent Creator, Wordpress | 2026-02-20 | 4.3 Medium |
| Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0. | ||||
| CVE-2026-25453 | 2 Mdempfle, Wordpress | 2 Advanced Iframe, Wordpress | 2026-02-20 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdempfle Advanced iFrame advanced-iframe allows DOM-Based XSS.This issue affects Advanced iFrame: from n/a through <= 2025.10. | ||||
| CVE-2026-25412 | 2 Mdempfle, Wordpress | 2 Advanced Iframe, Wordpress | 2026-02-20 | 5.3 Medium |
| Missing Authorization vulnerability in mdempfle Advanced iFrame advanced-iframe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced iFrame: from n/a through <= 2025.10. | ||||
| CVE-2026-25005 | 2 N-media, Wordpress | 2 Frontend File Manager, Wordpress | 2026-02-20 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.5. | ||||