ReportizFlow
Filtered by vendor Wordpress
Subscriptions
Total
11479 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28688 | 2 Themehunk, Wordpress | 2 Variation Swatches, Wordpress | 2026-01-09 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | ||||
| CVE-2024-31428 | 2 Rarathemes, Wordpress | 2 The Conference, Wordpress | 2026-01-09 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme The Conference.This issue affects The Conference: from n/a through 1.2.0. | ||||
| CVE-2024-31384 | 2 Rarathemes, Wordpress | 2 Spa And Salon, Wordpress | 2026-01-09 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Spa and Salon.This issue affects Spa and Salon: from n/a through 1.2.7. | ||||
| CVE-2024-33537 | 2 Themehorse, Wordpress | 2 Wp Portfolio, Wordpress | 2026-01-09 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Horse WP Portfolio allows Stored XSS.This issue affects WP Portfolio: from n/a through 2.4. | ||||
| CVE-2025-14072 | 3 Ninjaforma, Ninjaforms, Wordpress | 3 Ninja Forms, Ninja Forms, Wordpress | 2026-01-09 | 5.3 Medium |
| The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions. | ||||
| CVE-2025-9637 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-01-09 | 6.5 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload. | ||||
| CVE-2025-13679 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-01-09 | 6.5 Medium |
| The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address. | ||||
| CVE-2025-9318 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-01-09 | 6.5 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-9294 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-01-09 | 4.3 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. | ||||
| CVE-2024-2904 | 2 Extendthemes, Wordpress | 2 Calliope, Wordpress | 2026-01-08 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Calliope.This issue affects Calliope: from n/a through 1.0.33. | ||||
| CVE-2024-29796 | 2 Hot-themes, Wordpress | 2 Hot Random Image, Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hot Themes Hot Random Image allows Stored XSS.This issue affects Hot Random Image: from n/a through 1.8.1. | ||||
| CVE-2023-50897 | 2 Meow Apps, Wordpress | 2 Media File Renamer, Wordpress | 2026-01-08 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Meow Apps Media File Renamer allows Using Malicious Files.This issue affects Media File Renamer: from n/a through 5.7.7. | ||||
| CVE-2025-9543 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 3.5 Low |
| The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2023-49186 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6. | ||||
| CVE-2023-51513 | 2 Infinitumform, Wordpress | 2 Geo Controller, Wordpress | 2026-01-08 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2. | ||||
| CVE-2025-14124 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 8.6 High |
| The Team WordPress plugin before 5.0.11 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||||
| CVE-2023-52212 | 2 Automattic, Wordpress | 2 Wp Job Manager, Wordpress | 2026-01-08 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0. | ||||
| CVE-2025-13812 | 2 Gamipress, Wordpress | 2 Gamipress, Wordpress | 2026-01-08 | 4.3 Medium |
| The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | ||||
| CVE-2025-12648 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames. | ||||
| CVE-2025-14120 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 6.4 Medium |
| The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||