Export limit exceeded: 346336 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 25149 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (25149 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-2931 | 1 Wpfront | 1 Wpfront User Role Editor | 2026-04-08 | 4.3 Medium |
| The WPFront User Role Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.1.11184 via the wpfront_user_role_editor_assign_roles_user_autocomplete AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract retrieve a list of all user email addresses who are registered on the site. | ||||
| CVE-2024-2541 | 2 Popup Builder, Sygnoos | 2 Popup Builder, Popup Builder | 2026-04-08 | 5.3 Medium |
| The Popup Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the Subscribers Import feature. This makes it possible for unauthenticated attackers to extract sensitive data after an administrator has imported subscribers via a CSV file. This data may include the first name, last name, e-mail address, and potentially other personally identifiable information of subscribers. | ||||
| CVE-2024-2226 | 1 Themeisle | 1 Otter Blocks | 2026-04-08 | 6.4 Medium |
| The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the id parameter in the google-map block in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access and higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-2106 | 1 Stylemixthemes | 1 Masterstudy Lms | 2026-04-08 | 5.3 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. This can allow unauthenticated attackers to extract sensitive data including all registered user's username and email addresses which can be used to help perform future attacks. | ||||
| CVE-2024-8978 | 1 Wpdeveloper | 1 Essential Addons For Elementor | 2026-04-08 | 5.7 Medium |
| The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration. | ||||
| CVE-2024-13568 | 1 Wpmanageninja | 1 Fluent Support | 2026-04-08 | 7.5 High |
| The Fluent Support – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the 'fluent-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/fluent-support directory which can contain file attachments included in support tickets. | ||||
| CVE-2024-13538 | 1 Bigbuy | 1 Dropshipping Connector For Woocommerce | 2026-04-08 | 5.3 Medium |
| The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.0. This is due the /vendor/cocur/slugify/bin/generate-default.php file being directly accessible and triggering an error. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | ||||
| CVE-2024-10321 | 1 Themesgrove | 1 All-in-one Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 in elements/advanced-tab/template/view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-0910 | 2 Restrict, Tickera | 2 Restrict For Elementor, Restrict For Elementor | 2026-04-08 | 5.3 Medium |
| The Restrict for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.7 due to improper restrictions on hidden data that make it accessible through the REST API. This makes it possible for unauthenticated attackers to extract potentially sensitive data from post content. | ||||
| CVE-2024-0616 | 1 Wpchill | 1 Passster | 2026-04-08 | 5.3 Medium |
| The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.6.2 via API. This makes it possible for unauthenticated attackers to obtain post titles, slugs, IDs, content and other metadata including passwords of password-protected posts and pages. | ||||
| CVE-2023-6922 | 1 Acurax | 1 Under Construction \/ Maintenance Mode | 2026-04-08 | 4.3 Medium |
| The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the 'acx_csma_subscribe_ajax' function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors. | ||||
| CVE-2023-6781 | 1 Themeisle | 1 Orbit Fox | 2026-04-08 | 6.4 Medium |
| The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-6266 | 1 Backupbliss | 1 Backup Migration | 2026-04-08 | 7.5 High |
| The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more. | ||||
| CVE-2023-1888 | 1 Wpwax | 1 Directorist | 2026-04-08 | 8.8 High |
| The Directorist plugin for WordPress is vulnerable to an arbitrary user password reset in versions up to, and including, 7.5.4. This is due to a lack of validation checks within login.php. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to reset the password of an arbitrary user and gain elevated (e.g., administrator) privileges. | ||||
| CVE-2022-1186 | 1 Web-x | 1 Be Popia Compliant | 2026-04-08 | 5.3 Medium |
| The WordPress plugin Be POPIA Compliant exposed sensitive information to unauthenticated users consisting of site visitors emails and usernames via an API route, in versions up to an including 1.1.5. | ||||
| CVE-2024-13451 | 1 Bitapps | 1 Bit Form | 2026-04-08 | 5.3 Medium |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | ||||
| CVE-2024-10356 | 2026-04-08 | 4.3 Medium | ||
| The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.8 in inc/Widgets/accordion/output/content.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data. | ||||
| CVE-2024-12560 | 2026-04-08 | 4.3 Medium | ||
| The Button Block – Get fully customizable & multi-functional buttons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via the 'btn_block_duplicate_post' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts. | ||||
| CVE-2024-9540 | 1 Sinaextra | 1 Sina Extension For Elementor | 2026-04-08 | 4.3 Medium |
| The Sina Extension for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.7 via the render function in widgets/advanced/sina-modal-box.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. | ||||
| CVE-2024-13525 | 1 Wpfactory | 1 Customer Email Verification For Woocommerce | 2026-04-08 | 6.5 Medium |
| The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user. | ||||