Export limit exceeded: 343506 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343506 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0926 | 2 Prodigycommerce, Wordpress | 2 Prodigy Commerce, Wordpress | 2026-04-08 | 9.8 Critical |
| The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2026-0844 | 2 N-media, Wordpress | 2 Simple User Registration, Wordpress | 2026-04-08 | 8.8 High |
| The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. | ||||
| CVE-2026-0736 | 2 Collectchat, Wordpress | 2 Chatbot For Wordpress By Collect.chat ⚡️, Wordpress | 2026-04-08 | 6.4 Medium |
| The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0692 | 2 Hblpay, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2026-04-08 | 7.5 High |
| The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization. | ||||
| CVE-2025-9967 | 2 Gsayed786, Wordpress | 2 Orion Sms Otp Verification, Wordpress | 2026-04-08 | 9.8 Critical |
| The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's password to a one-time password if the attacker knows the user's phone number | ||||
| CVE-2025-9889 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind their own ContentMX connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-9858 | 2 Mtoolstec, Wordpress | 2 Auto Bulb Finder, Wordpress | 2026-04-08 | 6.4 Medium |
| The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9849 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Html Social share buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zm_sh_btn' shortcode in all versions up to, and including, 2.1.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9451 | 2 Smartcatai, Wordpress | 2 Smartcat Translator For Wpml Plugin, Wordpress | 2026-04-08 | 6.5 Medium |
| The Smartcat Translator for WPML plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.1.72 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-9243 | 2 Stylemixthemes, Wordpress | 2 Cost Calculator Builder, Wordpress | 2026-04-08 | 8.1 High |
| The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the get_cc_orders and update_order_status functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access order management functions and modify order status. | ||||
| CVE-2025-9204 | 2 Pencilwp, Wordpress | 2 X Addons For Elementor, Wordpress | 2026-04-08 | 6.4 Medium |
| The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.16. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page. | ||||
| CVE-2025-9128 | 2 Eideasy, Wordpress | 2 Eid Easy, Wordpress | 2026-04-08 | 6.4 Medium |
| The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-9123 | 2 Codebxr, Wordpress | 2 Cbx Map For Google Map \& Openstreetmap, Wordpress | 2026-04-08 | 6.4 Medium |
| The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8898 | 2026-04-08 | 9.8 Critical | ||
| The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. CVE-2025-54713 is likely a duplicate of this issue. | ||||
| CVE-2025-8689 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison, HotSpot Plus, and Google Maps widgets in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8669 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 4.3 Medium |
| The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-8608 | 3 Elementor, Mihdan, Wordpress | 3 Elementor, Elementor Yandex Maps, Wordpress | 2026-04-08 | 6.4 Medium |
| The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-8570 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity. | ||||
| CVE-2025-8484 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 2.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | ||||
| CVE-2025-8290 | 2 Weblineindia, Wordpress | 2 List Subpages, Wordpress | 2026-04-08 | 6.4 Medium |
| The List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||