Export limit exceeded: 11824 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11824 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-67977 | 2 Villatheme, Wordpress | 2 Happy, Wordpress | 2026-04-15 | 8.2 High |
| Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8. | ||||
| CVE-2025-12117 | 2 Thinkupthemes, Wordpress | 2 Renden, Wordpress | 2026-04-15 | 6.4 Medium |
| The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12123 | 3 Trustindex, Woocommerce, Wordpress | 3 Customer Reviews Collector For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 6.1 Medium |
| The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-12126 | 2 Ryanmoyer, Wordpress | 2 The Total Book Project, Wordpress | 2026-04-15 | 5.4 Medium |
| The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform several actions like moving/deleting/creating chapters in books that do not belong to them. | ||||
| CVE-2025-12128 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12129 | 2 Cubewp, Wordpress | 2 Cubewp, Wordpress | 2026-04-15 | 5.3 Medium |
| The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | ||||
| CVE-2025-12132 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The WP Custom Admin Login Page Logo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.8.4. This is due to missing or incorrect nonce validation on the wpclpl_save functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12133 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | ||||
| CVE-2025-12137 | 2 Jcollings, Wordpress | 2 Import Wp, Wordpress | 2026-04-15 | 4.9 Medium |
| The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_file()' function when handling 'file_local' actions. This makes it possible for authenticated attackers, with administrator-level access and above, to read arbitrary files on the server's filesystem, including sensitive configuration files and system files via the 'local_url' parameter. | ||||
| CVE-2025-12139 | 2 Princeahmed, Wordpress | 2 File Manager For Google Drive, Wordpress | 2026-04-15 | 7.5 High |
| The File Manager for Google Drive – Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the "get_localize_data" function. This makes it possible for unauthenticated attackers to extract sensitive data including Google OAuth credentials (client_id and client_secret) and Google account email addresses. | ||||
| CVE-2025-67978 | 2 Fixbd, Wordpress | 2 Educare, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FixBD Educare educare allows Reflected XSS.This issue affects Educare: from n/a through <= 1.6.1. | ||||
| CVE-2025-12158 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user account to administrator. | ||||
| CVE-2025-67980 | 2 Thembay, Wordpress | 2 Hara, Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. | ||||
| CVE-2025-12160 | 2 N-media, Wordpress | 2 Simple User Registration, Wordpress | 2026-04-15 | 7.2 High |
| The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12168 | 2 Memsource, Wordpress | 2 Phrase Tms Integration For Wordpress, Wordpress | 2026-04-15 | 4.3 Medium |
| The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files. | ||||
| CVE-2025-12171 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This requires the attacker have access to a defined third-party server as specified in the settings, so it is unlikely that this will be exploitable by contributor-level users, and more likely to be exploited by administrators who also have access to the plugin's settings. | ||||
| CVE-2025-12175 | 2 Stellarwp, Wordpress | 2 The Events Calendar, Wordpress | 2026-04-15 | 4.3 Medium |
| The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them. | ||||
| CVE-2025-67981 | 2 Thembay, Wordpress | 2 Besa, Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. | ||||
| CVE-2025-12177 | 2 Codename065, Wordpress | 2 Download Manager Plugin, Wordpress | 2026-04-15 | 5.3 Medium |
| The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache. | ||||
| CVE-2025-12178 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||