Filtered by vendor Wordpress
Subscriptions
Total
10379 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-25024 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery.This issue affects ThirstyAffiliates: from n/a through <= 3.11.9. | ||||
| CVE-2026-24994 | 2 Sunshinephotocart, Wordpress | 2 Sunshine Photo Cart, Wordpress | 2026-02-04 | 5.3 Medium |
| Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2. | ||||
| CVE-2026-25020 | 2 Wordpress, Wp Connect | 2 Wordpress, Wp Sync For Notion | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Sync for Notion: from n/a through <= 1.7.0. | ||||
| CVE-2026-25016 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.3 Medium |
| Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Nelio Popups: from n/a through <= 1.3.5. | ||||
| CVE-2026-24966 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery.This issue affects Copyscape Premium: from n/a through <= 1.4.1. | ||||
| CVE-2026-24991 | 1 Wordpress | 1 Wordpress | 2026-02-04 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Extensions For CF7: from n/a through <= 3.4.0. | ||||
| CVE-2026-25019 | 2 Vito Peleg, Wordpress | 2 Atarim, Wordpress | 2026-02-04 | 5.3 Medium |
| Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.1. | ||||
| CVE-2026-24982 | 2 Brainstormforce, Wordpress | 2 Spectra, Wordpress | 2026-02-04 | 5.3 Medium |
| Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.17. | ||||
| CVE-2026-24990 | 2 Fahad Mahmood, Wordpress | 2 Wp Docs, Wordpress | 2026-02-04 | 5.4 Medium |
| Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8. | ||||
| CVE-2026-25010 | 2 Illid, Wordpress | 2 Share This Image, Wordpress | 2026-02-04 | 5.3 Medium |
| Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share This Image: from n/a through <= 2.09. | ||||
| CVE-2026-24602 | 2 Raptive, Wordpress | 2 Raptive Ads, Wordpress | 2026-02-04 | N/A |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. This is a false positive. According to the vendor, the function identified as a vulnerability is intentional and part of the expected design. | ||||
| CVE-2025-68891 | 2 Ryan Sutana, Wordpress | 2 Wp App Bar, Wordpress | 2026-02-03 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. | ||||
| CVE-2025-67937 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Hendon, Hendon, Wordpress | 2026-02-03 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. | ||||
| CVE-2025-67936 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Curly, Curly, Wordpress | 2026-02-03 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. | ||||
| CVE-2025-67935 | 3 Mikado-themes, Qodeinteractive, Wordpress | 3 Optimize, Optimize, Wordpress | 2026-02-03 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. | ||||
| CVE-2025-67925 | 1 Wordpress | 1 Wordpress | 2026-02-03 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. | ||||
| CVE-2025-15525 | 2 Dcooney, Wordpress | 2 Ajax Load More - Infinite Scroll, Load More, & Lazy Load, Wordpress | 2026-02-03 | 5.3 Medium |
| The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts. | ||||
| CVE-2025-15510 | 2 Webaways, Wordpress | 2 Nex-forms-ultimate-forms-plugin, Wordpress | 2026-02-03 | 5.3 Medium |
| The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. | ||||
| CVE-2025-14554 | 1 Wordpress | 1 Wordpress | 2026-02-03 | 7.2 High |
| The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | ||||
| CVE-2022-50797 | 2 Halfdata, Wordpress | 2 Stripe Green Downloads, Wordpress | 2026-02-03 | 6.4 Medium |
| Stripe Green Downloads Wordpress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. | ||||