Export limit exceeded: 343523 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 10396 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10396 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13717 | 2 Ashishajani, Wordpress | 2 Contact Form Vcard Generator, Wordpress | 2026-04-08 | 5.3 Medium |
| The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages. | ||||
| CVE-2024-5326 | 2026-04-08 | 8.8 High | ||
| The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'postx_presets_callback' function in all versions up to, and including, 4.1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. | ||||
| CVE-2024-5324 | 1 Xootix | 4 Login\/signup Popup, Otp Login Woocommerce \& Gravity Forms, Side Cart Woocommerce and 1 more | 2026-04-08 | 8.8 High |
| Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator. | ||||
| CVE-2024-4858 | 2 Uapp, Uapp Group | 2 Testimonial Carousel For Elementor, Testimonial Carousel For Elementor | 2026-04-08 | 5.3 Medium |
| The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_testimonials_option_callback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to update the OpenAI API key, disabling the feature. | ||||
| CVE-2024-4788 | 1 Woostify | 1 Boostify Header Footer Builder For Elementor | 2026-04-08 | 4.3 Medium |
| The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_bhf_post function in all versions up to, and including, 1.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to create pages or posts with arbitrary content. | ||||
| CVE-2024-13752 | 1 Wedevs | 1 Wp Project Manager | 2026-04-08 | 6.5 Medium |
| The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition. | ||||
| CVE-2024-4661 | 1 Webfactoryltd | 1 Wp Reset | 2026-04-08 | 4.3 Medium |
| The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting. | ||||
| CVE-2024-4450 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-04-08 | 6.3 Medium |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products. CVE-2024-37210 is likely a duplicate of this issue. | ||||
| CVE-2024-4422 | 1 Comparisonslider | 1 Comparison Slider | 2026-04-08 | 6.4 Medium |
| The Comparison Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slider title parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-4410 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.4 Medium |
| The IgnitionDeck Crowdfunding Platform plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.9.8. This is due to missing capability checks on various functions called via AJAX actions in the ~/classes/class-idf-wizard.php file. This makes it possible for authenticated attackers, with subscriber access or higher, to execute various AJAX actions. This includes actions to change the permalink structure, plugin settings and others. | ||||
| CVE-2024-4319 | 2026-04-08 | 5.3 Medium | ||
| The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for submitted forms. | ||||
| CVE-2024-4280 | 2 Videousermanuals, Wordpress | 2 White-label-cms, Wordpress | 2026-04-08 | 5.3 Medium |
| The White Label CMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_plugin function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to reset plugin settings. | ||||
| CVE-2024-4205 | 1 Leap13 | 1 Premium Addons For Elementor | 2026-04-08 | 4.3 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content() function in all versions up to, and including, 4.10.31. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve Elementor template data. | ||||
| CVE-2024-4010 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2026-04-08 | 8.8 High |
| The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks. | ||||
| CVE-2024-3957 | 1 Booster | 1 Booster For Woocommerce | 2026-04-08 | 6.5 Medium |
| The Booster for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 7.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide. | ||||
| CVE-2024-3678 | 1 Adenion | 1 Blog2social | 2026-04-08 | 5.3 Medium |
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited information from password protected posts. | ||||
| CVE-2024-3663 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The WP Scraper plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wp_scraper_multi_scrape_action() function in all versions up to, and including, 5.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary pages and posts. | ||||
| CVE-2024-3627 | 1 Kraftplugins | 1 Wheel Of Life | 2026-04-08 | 5.4 Medium |
| The Wheel of Life: Coaching and Assessment Tool for Life Coach plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on several functions in the AjaxFunctions.php file in all versions up to, and including, 1.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts and modify settings. | ||||
| CVE-2025-1502 | 2026-04-08 | 5.3 Medium | ||
| The IP2Location Redirection plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'download_ip2location_redirection_backup' AJAX action in all versions up to, and including, 1.33.3. This makes it possible for unauthenticated attackers to download the plugin's settings. | ||||
| CVE-2024-3608 | 1 Pickplugins | 1 Product Designer | 2026-04-08 | 5.3 Medium |
| The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments. CVE-2024-38726 appears to be a duplicate of this issue. | ||||