Search Results (13898 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-62870 3 Eupago, Woocommerce, Wordpress 3 Eupago Gateway Woocommerce, Woocommerce, Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.7.1.
CVE-2025-68076 2 Select-themes, Wordpress 2 Stockholm Core, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm Core stockholm-core allows Stored XSS.This issue affects Stockholm Core: from n/a through <= 2.4.6.
CVE-2025-62995 2 Multiparcels, Wordpress 2 Multiparcels Shipping For Woocommerce, Wordpress 2026-04-15 4.3 Medium
Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12.
CVE-2025-62997 2 Levelfourdevelopment, Wordpress 2 Wp-easycart, Wordpress 2026-04-15 5.3 Medium
Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11.
CVE-2022-46845 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Essential Plugin Slider a SlidersPack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider a SlidersPack: from n/a before 2.3.
CVE-2025-68018 3 Ilmosys, Woocommerce, Wordpress 3 Order Listener For Woocommerce, Woocommerce, Wordpress 2026-04-15 9.4 Critical
Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1.
CVE-2025-63037 1 Wordpress 1 Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows DOM-Based XSS.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.
CVE-2025-63044 3 Elementor, Wordpress, Xpro 3 Elementor, Wordpress, Xpro Elementor Addons 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows DOM-Based XSS.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
CVE-2025-63046 2 Cridio, Wordpress 2 Listingpro, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro listingpro-plugin allows DOM-Based XSS.This issue affects ListingPro: from n/a through <= 2.9.9.
CVE-2025-63047 2 Cridio, Wordpress 2 Listingpro, Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.
CVE-2025-12630 1 Wordpress 1 Wordpress 2026-04-15 4.9 Medium
The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.
CVE-2025-11533 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
CVE-2025-63070 2 Shahjada, Wordpress 2 Download Manager, Wordpress 2026-04-15 4.3 Medium
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.
CVE-2025-63076 2 Dream-theme, Wordpress 2 The7, Wordpress 2026-04-15 7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 Elements dt-the7-core allows PHP Local File Inclusion.This issue affects The7 Elements: from n/a through <= 2.7.11.
CVE-2025-68012 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1.
CVE-2025-68004 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1.
CVE-2025-12394 2 Inisev, Wordpress 2 Backup Migration, Wordpress 2026-04-15 5.9 Medium
The Backup Migration WordPress plugin before 2.0.0 does not properly generate its backup path in certain server configurations, allowing unauthenticated users to fetch a log that discloses the backup filename. The backup archive is then downloadable without authentication.
CVE-2025-67981 2 Thembay, Wordpress 2 Besa, Wordpress 2026-04-15 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
CVE-2025-12074 2 Postmagthemes, Wordpress 2 Context Blog, Wordpress 2026-04-15 5.3 Medium
The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
CVE-2025-11504 1 Wordpress 1 Wordpress 2026-04-15 7.5 High
The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.