Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
9600 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0725 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 4.4 Medium |
| The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8615 | 2 Cubewp, Wordpress | 2 Cubewp, Wordpress | 2026-01-26 | 6.4 Medium |
| The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12984 | 2 Monetizemore, Wordpress | 2 Advanced Ads, Wordpress | 2026-01-26 | 4.9 Medium |
| The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-12129 | 2 Cubewp, Wordpress | 2 Cubewp, Wordpress | 2026-01-26 | 5.3 Medium |
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-12002 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.9 Medium |
| The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube. | ||||
| CVE-2025-12718 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.8 Medium |
| The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details. | ||||
| CVE-2025-13725 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 6.5 Medium |
| The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php. | ||||
| CVE-2026-0682 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 2.2 Low |
| The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2019-25297 | 2 Opinionstage, Wordpress | 2 Poll, Survey & Quiz Maker, Wordpress | 2026-01-26 | N/A |
| Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page. | ||||
| CVE-2026-23800 | 2 Modular, Wordpress | 2 Modular, Wordpress | 2026-01-26 | 10 Critical |
| Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0. | ||||
| CVE-2025-10484 | 3 Fmeaddons, Woocommerce, Wordpress | 3 Registration And Login With Mobile Phone Number For Woocommerce, Woocommerce, Wordpress | 2026-01-26 | 9.8 Critical |
| The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password. | ||||
| CVE-2025-14450 | 2 Wordpress, Wpswings | 2 Wordpress, Wallet System For Woocommerce | 2026-01-26 | 6.5 Medium |
| The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances. | ||||
| CVE-2025-14478 | 2 Kraftplugins, Wordpress | 2 Demo Importer Plus, Wordpress | 2026-01-26 | 7.5 High |
| The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0. | ||||
| CVE-2026-0808 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 5.3 Medium |
| The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes. | ||||
| CVE-2026-22850 | 2 Ibericode, Wordpress | 2 Koko Analytics, Wordpress | 2026-01-26 | 8.4 High |
| Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. | ||||
| CVE-2025-14075 | 2 Thimpress, Wordpress | 2 Wp Hotel Booking, Wordpress | 2026-01-26 | 5.3 Medium |
| The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce. | ||||
| CVE-2026-0833 | 1 Wordpress | 1 Wordpress | 2026-01-26 | 6.4 Medium |
| The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14078 | 2 Shoheitanaka, Wordpress | 2 Japanized For Woocommerce, Wordpress | 2026-01-26 | 5.3 Medium |
| The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint. | ||||
| CVE-2025-12168 | 2 Memsource, Wordpress | 2 Phrase Tms Integration For Wordpress, Wordpress | 2026-01-26 | 4.3 Medium |
| The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | ||||
| CVE-2025-14029 | 2 Jackdewey, Wordpress | 2 Community Events, Wordpress | 2026-01-26 | 5.3 Medium |
| The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter. | ||||