Export limit exceeded: 344777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 344777 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (344777 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8561 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8575 | 2 Lws, Wordpress | 2 Lws Cleaner, Wordpress | 2026-04-15 | 7.2 High |
| The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-8607 | 2 Funnelkit, Wordpress | 2 Slingblocks, Wordpress | 2026-04-15 | 6.4 Medium |
| The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-23237 | 2026-04-15 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If a user logs in to CLI of the affected product, an arbitrary OS command may be executed. | ||||
| CVE-2025-32631 | 2026-04-15 | N/A | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in oxygensuite Oxygen MyData for WooCommerce oxygen-mydata allows Path Traversal.This issue affects Oxygen MyData for WooCommerce: from n/a through <= 1.0.64. | ||||
| CVE-2025-8676 | 2 Bplugins, Wordpress | 2 B Slider, Wordpress | 2026-04-15 | 4.3 Medium |
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the get_active_plugins function. This makes it possible for authenticated attackers, with subscriber-level access and above to extract sensitive data including installed plugin information. | ||||
| CVE-2025-8687 | 3 Elementor, Themelooks, Wordpress | 3 Elementor, Enter Addons, Wordpress | 2026-04-15 | 6.4 Medium |
| The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8719 | 2026-04-15 | 6.4 Medium | ||
| The Translate This gTranslate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘base_lang’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-23244 | 1 Nvidia | 1 Gpu Display Driver | 2026-04-15 | 7.8 High |
| NVIDIA GPU Display Driver for Linux contains a vulnerability which could allow an unprivileged attacker to escalate permissions. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | ||||
| CVE-2025-32633 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset database-toolset allows Path Traversal.This issue affects Database Toolset: from n/a through <= 1.8.4. | ||||
| CVE-2025-8867 | 2 Elementor, Wordpress | 2 Elementor, Wordpress | 2026-04-15 | 6.4 Medium |
| The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. This is due to insufficient input sanitization and output escaping on user supplied attributes such as chart categories, titles, and tooltip settings. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8905 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.3 Medium |
| The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters. | ||||
| CVE-2025-9030 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| The Majestic Before After Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_label' and 'after_label' parameters in versions less than, or equal to, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9163 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2026-04-15 | 6.1 Medium |
| The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-9191 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2026-04-15 | 6.3 Medium |
| The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | ||||
| CVE-2025-9202 | 2 Themegrill, Wordpress | 2 Colormag, Wordpress | 2026-04-15 | 4.3 Medium |
| The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the ThemeGrill Demo Importer plugin. | ||||
| CVE-2025-9378 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Vayu Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9776 | 2 Catfolders, Wordpress | 2 Tame Your Wordpress Media Library Plugin, Wordpress | 2026-04-15 | 6.5 Medium |
| The CatFolders – Tame Your WordPress Media Library by Category plugin for WordPress is vulnerable to time-based SQL Injection via the CSV Import contents in all versions up to, and including, 2.5.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-9857 | 2 Heateor, Wordpress | 2 Social Login, Wordpress | 2026-04-15 | 6.4 Medium |
| The Heateor Login – Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9886 | 2 Sergiotrinity, Wordpress | 2 Trinity Audio, Wordpress | 2026-04-15 | 4.3 Medium |
| The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.20.2. This is due to missing or incorrect nonce validation in the '/admin/inc/post-management.php' file. This makes it possible for unauthenticated attackers to activate/deactivate posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||