ReportizFlow
Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
9090 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13592 | 2 Monetizemore, Wordpress | 2 Advanced Ads, Wordpress | 2026-01-05 | 7.2 High |
| The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server. | ||||
| CVE-2025-14312 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14313 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14426 | 2 Wordpress, Wpchill | 2 Wordpress, Strong Testimonials | 2026-01-05 | 4.3 Medium |
| The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen. | ||||
| CVE-2025-13029 | 2 Knowband, Wordpress | 2 Mobile App Builder, Wordpress | 2026-01-05 | 7.5 High |
| The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-14434 | 1 Wordpress | 1 Wordpress | 2026-01-05 | 5.3 Medium |
| The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones. | ||||
| CVE-2025-14783 | 2 Smub, Wordpress | 2 Easy Digital Downloads, Wordpress | 2026-01-05 | 4.3 Medium |
| The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action. | ||||
| CVE-2025-12685 | 3 Iqonic, Iqonicdesign, Wordpress | 3 Wpbookit, Wpbookit, Wordpress | 2026-01-05 | 6.5 Medium |
| The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | ||||
| CVE-2025-13456 | 2 Shopbuilder, Wordpress | 2 Shopbuilder, Wordpress | 2026-01-05 | 6.1 Medium |
| The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13153 | 2 Logo Slider Wordpress, Wordpress | 2 Logo Slider Wordpress, Wordpress | 2026-01-05 | 6.1 Medium |
| The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2024-6797 | 2 Dyadyalesha, Wordpress | 2 Dl Robots.txt, Wordpress | 2026-01-03 | 4.8 Medium |
| The DL Robots.txt WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-6230 | 2 Wordpress, Wp-master | 2 Wordpress, Pardakht-delkhah | 2026-01-02 | 6.5 Medium |
| The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack | ||||
| CVE-2024-31211 | 1 Wordpress | 1 Wordpress | 2026-01-02 | 5.5 Medium |
| WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected. | ||||
| CVE-2023-23985 | 2 Ays-pro, Wordpress | 2 Quiz Maker, Wordpress | 2026-01-01 | 3.7 Low |
| Missing Authorization vulnerability in Quiz Maker team Quiz Maker.This issue affects Quiz Maker: from n/a through 6.3.9.4. | ||||
| CVE-2024-8914 | 1 Wordpress | 2 Thanh Toan Quet Ma Qr Code Tu Dong, Wordpress | 2025-12-31 | 7.2 High |
| The Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-9582 | 2 Bqworks, Wordpress | 2 Accordion Slider, Wordpress | 2025-12-31 | 6.4 Medium |
| The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting, which is restricted to administrators by default. | ||||
| CVE-2024-56055 | 2 Vibethemes, Wordpress | 2 Wordpress Learning Management System, Wordpress | 2025-12-31 | 8.5 High |
| Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2. | ||||
| CVE-2025-14913 | 2 Wordpress, Wpshuffle | 2 Wordpress, Frontend Post Submission Manager | 2025-12-30 | 5.3 Medium |
| The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments. | ||||
| CVE-2025-13958 | 1 Wordpress | 1 Wordpress | 2025-12-30 | 5.9 Medium |
| The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | ||||
| CVE-2025-13407 | 2 Gravityforms, Wordpress | 2 Gravity Forms, Wordpress | 2025-12-30 | 6.8 Medium |
| The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. | ||||