Export limit exceeded: 366043 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12796 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1088 | 2 Geek Code Lab, Rajkakadiya | 2 Password Protected Store, Password Protected Store For Woocommerce | 2026-04-08 | 5.3 Medium |
| The Password Protected Store for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including post titles and content. | ||||
| CVE-2024-1044 | 1 Cusrev | 1 Customer Reviews For Woocommerce | 2026-04-08 | 5.3 Medium |
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'submit_review' function in all versions up to, and including, 5.38.12. This makes it possible for unauthenticated attackers to submit reviews with arbitrary email addresses regardless of whether reviews are globally enabled. | ||||
| CVE-2024-13771 | 1 Uxper | 1 Civi | 2026-04-08 | 9.8 Critical |
| The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim. | ||||
| CVE-2024-11868 | 1 Thimpress | 1 Learnpress | 2026-04-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.3 via class-lp-rest-material-controller.php. This makes it possible for unauthenticated attackers to extract potentially sensitive paid course material. | ||||
| CVE-2024-10284 | 1 Ce21 | 2 Ce21-suite, Ce21 Suite | 2026-04-08 | 9.8 Critical |
| The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. | ||||
| CVE-2024-0978 | 2 Wordpress, Zatzlabs | 2 Wordpress, My Private Site | 2026-04-08 | 5.3 Medium |
| The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's site privacy feature and view restricted page and post content. | ||||
| CVE-2024-0975 | 1 Brandonwamboldt | 1 Wordpress Access Control | 2026-04-08 | 5.3 Medium |
| The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Make Website Members Only" feature (when unset) and view restricted page and post content. | ||||
| CVE-2024-0766 | 1 Envothemes | 1 Envo\'s Elementor Templates \& Widgets For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates. | ||||
| CVE-2024-0453 | 1 Quantumcloud | 1 Wpbot | 2026-04-08 | 5 Medium |
| The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_delete_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete files from a linked OpenAI account. | ||||
| CVE-2024-0452 | 1 Quantumcloud | 1 Wpbot | 2026-04-08 | 5 Medium |
| The AI ChatBot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the openai_file_upload_callback function in all versions up to, and including, 5.3.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files to a linked OpenAI account. | ||||
| CVE-2024-0374 | 1 Formviewswp | 1 Views For Wpforms | 2026-04-08 | 4.3 Medium |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.2. This is due to missing or incorrect nonce validation on the 'create_view' function. This makes it possible for unauthenticated attackers to create views via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-0370 | 1 Formviewswp | 1 Views For Wpforms | 2026-04-08 | 4.3 Medium |
| The Views for WPForms – Display & Edit WPForms Entries on your site frontend plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_view' function in all versions up to, and including, 3.2.2. This makes it possible for authenticated attackers, with subscriber access and above, to modify the titles of arbitrary posts. | ||||
| CVE-2023-6966 | 1 Themoneytizer | 1 The Moneytizer | 2026-04-08 | 8.1 High |
| The The Moneytizer plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on multiple AJAX functions in the /core/core_ajax.php file in all versions up to, and including, 9.6.3. This makes it possible for authenticated attackers, with subscriber access and above, to update and retrieve billing and bank details, update and reset the plugin's settings, and update languages as well as other lower-severity actions. | ||||
| CVE-2023-6878 | 1 Leechesnutt | 1 Slick Social Share Buttons | 2026-04-08 | 8.8 High |
| The Slick Social Share Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dcssb_ajax_update' function in versions up to, and including, 2.4.11. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. | ||||
| CVE-2023-6785 | 1 W3eden | 1 Download Manager | 2026-04-08 | 5.3 Medium |
| The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. This makes it possible for unauthenticated attackers to download files added with the plugin (even when privately published). | ||||
| CVE-2023-6733 | 1 Butlerblog | 1 Wp-members | 2026-04-08 | 6.5 Medium |
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.8 via the wpmem_field shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including user emails, password hashes, usernames, and more. | ||||
| CVE-2023-4243 | 1 Full | 1 Full - Customer | 2026-04-08 | 8.8 High |
| The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin. | ||||
| CVE-2023-3957 | 1 Navz | 1 Acf Photo Gallery Field | 2026-04-08 | 4.3 Medium |
| The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient restriction on the 'apg_profile_update' function in versions up to, and including, 1.9. This makes it possible for authenticated attackers, with subscriber-level permissions or above, to update the user metas arbitrarily. The meta value can only be a string. | ||||
| CVE-2023-3162 | 1 Webtoffee | 1 Stripe Payment Plugin For Woocommerce | 2026-04-08 | 9.8 Critical |
| The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers. | ||||
| CVE-2023-2986 | 1 Tychesoftwares | 1 Abandoned Cart Lite For Woocommerce | 2026-04-08 | 9.8 Critical |
| The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass. | ||||