Export limit exceeded: 343344 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 343344 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343344 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-0766 | 1 Envothemes | 1 Envo\'s Elementor Templates \& Widgets For Woocommerce | 2026-04-08 | 4.3 Medium |
| The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates. | ||||
| CVE-2024-0708 | 1 Fatcatapps | 1 Landing Page Cat | 2026-04-08 | 5.3 Medium |
| The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to access landing pages that may not be public. | ||||
| CVE-2024-0698 | 1 Easyappointments | 1 Easy\!appointments | 2026-04-08 | 6.4 Medium |
| The Easy!Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyappointments' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-0697 | 1 Softaculous | 1 Backuply | 2026-04-08 | 6.5 Medium |
| The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.3 via the node_id parameter in the backuply_get_jstree function. This makes it possible for attackers with administrator privileges or higher to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2024-0691 | 1 Ninjateam | 1 Filebird | 2026-04-08 | 5.5 Medium |
| The FileBird plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported folder titles in all versions up to, and including, 5.5.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. It may also be possible to socially engineer an administrator into uploading a malicious folder import. | ||||
| CVE-2024-0685 | 1 Ninjaforms | 1 Ninja Forms | 2026-04-08 | 5.9 Medium |
| The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to inject SQL in their email address that will append additional into the already existing query when an administrator triggers a personal data export. | ||||
| CVE-2024-0682 | 1 Theandystratton | 2 Page Restrict, Pagerestrict | 2026-04-08 | 5.3 Medium |
| The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts. | ||||
| CVE-2024-0680 | 1 Wpexpertdeveloper | 1 Wp Private Content Plus | 2026-04-08 | 5.3 Medium |
| The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts. | ||||
| CVE-2024-0678 | 1 Tychesoftwares | 2 Order Delivery Date For Woocommerce, Order Delivery Date For Wp E-commerce | 2026-04-08 | 6.5 Medium |
| The Order Delivery Date for WP e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'available-days-tf' parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only affects the version of the "order-delivery-date" plugin for WP Ecommerce which was hosted in the WordPress repository and is discontinued now. The version of the plugin hosted off of the repository titled 'Order Delivery Date' for WooCommerce is not affected. | ||||
| CVE-2024-0665 | 1 Marvinlabs | 1 Wp Customer Area | 2026-04-08 | 6.1 Medium |
| The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-0664 | 1 Mekshq | 1 Meks Smart Social Widget | 2026-04-08 | 4.4 Medium |
| The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0657 | 1 Internallinkjuicer | 1 Internal Link Juicer | 2026-04-08 | 4.4 Medium |
| The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as 'ilj_settings_field_links_per_page' in all versions up to, and including, 2.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0653 | 1 Wpgogo | 1 Custom Field Template | 2026-04-08 | 4.4 Medium |
| The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0632 | 2026-04-08 | 4.4 Medium | ||
| The Automatic Translator with Google Translate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom font setting in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0630 | 1 Wprssaggregator | 1 Wp Rss Aggregator | 2026-04-08 | 4.4 Medium |
| The WP RSS Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the RSS feed source in all versions up to, and including, 4.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0627 | 1 Wpgogo | 1 Custom Field Template | 2026-04-08 | 6.4 Medium |
| The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom field name column in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-0626 | 2 Woocommerce, Zaytech | 2 Woocommerce, Woocommerce Clover Payment Gateway | 2026-04-08 | 5.3 Medium |
| The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid. | ||||
| CVE-2024-0623 | 1 Vektor-inc | 1 Vk Block Patterns | 2026-04-08 | 4.3 Medium |
| The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbp_clear_patterns_cache() function. This makes it possible for unauthenticated attackers to clear the patterns cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-0621 | 1 Simplesharebuttons | 1 Simple Share Buttons Adder | 2026-04-08 | 4.4 Medium |
| The Simple Share Buttons Adder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.4.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2024-0620 | 2 Bwps, Passwordprotectwp | 2 Ppwp, Password Protect Wordpress | 2026-04-08 | 5.3 Medium |
| The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.9 via API. This makes it possible for unauthenticated attackers to obtain post titles, IDs, slugs as well as other information including for password-protected posts. | ||||