Export limit exceeded: 11973 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11973 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-10406 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.5 Medium |
| The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks. | ||||
| CVE-2025-64245 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12. | ||||
| CVE-2025-10567 | 2 Funnelkit, Wordpress | 2 Funnel Builder, Wordpress | 2026-04-15 | 6.3 Medium |
| The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users. | ||||
| CVE-2025-10648 | 2 Cyberlord92, Wordpress | 2 Yourmembership Single Sign On, Wordpress | 2026-04-15 | 5.3 Medium |
| The YourMembership Single Sign On – YM SSO Login plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'moym_display_test_attributes' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to read the profile data of the latest SSO login. | ||||
| CVE-2025-10660 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| The WP Dashboard Chat plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-64633 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8. | ||||
| CVE-2025-11620 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.2 High |
| The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles. | ||||
| CVE-2025-12411 | 2 Premmerce, Wordpress | 2 Wholesale Pricing For Woocommerce, Wordpress | 2026-04-15 | 7.1 High |
| The Premmerce Wholesale Pricing for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'ID' parameter in versions up to, and including, 1.1.10. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber level access and above, to manipulate SQL queries that can be used to extract sensitive information from the database and modify price type display names in the database via the admin-post.php "premmerce_update_price_type" action, causing cosmetic corruption of the admin interface. The 'price_type' parameter of the "premmerce_delete_price_type" is also vulnerable. | ||||
| CVE-2025-10916 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.1 Critical |
| The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-11174 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. This is due to the plugin exposing an unauthenticated AJAX action dll_load_posts which returns a JSON table of document data without performing nonce or capability checks. The handler accepts an attacker-controlled args array where the status option explicitly allows draft, pending, future, and any. This makes it possible for unauthenticated attackers to retrieve unpublished document titles and content via the AJAX endpoint. | ||||
| CVE-2025-66120 | 2 Catfolders, Wordpress | 2 Catfolders, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3. | ||||
| CVE-2025-66126 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in wowpress.host Fix Media Library wow-media-library-fix allows Retrieve Embedded Sensitive Data.This issue affects Fix Media Library: from n/a through <= 2.0. | ||||
| CVE-2025-11741 | 2 Wordpress, Wpclever | 2 Wordpress, Wpc Smart Quick View For Woocommerce | 2026-04-15 | 5.3 Medium |
| The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.2.5 via the 'woosq_quickview' AJAX endpoint due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to. | ||||
| CVE-2025-11760 | 2 Wordpress, Wpcenter | 2 Wordpress, Eroom | 2026-04-15 | 5.3 Medium |
| The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access. | ||||
| CVE-2025-48293 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows PHP Local File Inclusion.This issue affects Geo Mashup: from n/a through <= 1.13.16. | ||||
| CVE-2025-11814 | 2 Brainstormforce, Wordpress | 2 Ultimate Addons For Wpbakery Page Builder, Wordpress | 2026-04-15 | 6.4 Medium |
| The Ultimate Addons for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 3.21.1 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-48297 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Reflected XSS.This issue affects Simple Link Directory: from n/a through < 14.8.1. | ||||
| CVE-2025-11829 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Five9 Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'toolbar' attribute of the [five9-chat] shortcode in all versions up to, and including, 1.1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-48300 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2026-04-15 | N/A |
| Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg groundhogg allows Upload a Web Shell to a Web Server.This issue affects Groundhogg: from n/a through <= 4.2.1. | ||||
| CVE-2025-48302 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roxnor FundEngine wp-fundraising-donation allows PHP Local File Inclusion.This issue affects FundEngine: from n/a through <= 1.7.4. | ||||