Export limit exceeded: 11399 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11399 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-9116 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.8 Medium |
| The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | ||||
| CVE-2025-15400 | 2 Openpix, Wordpress | 2 Pix Para Woocommerce, Wordpress | 2026-04-02 | 6.5 Medium |
| The OpenPix for WooCommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality. | ||||
| CVE-2026-2466 | 2 Dukapress, Wordpress | 2 Dukapress, Wordpress | 2026-04-02 | 7.1 High |
| The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2026-2418 | 2 Login With Salesforce, Wordpress | 2 Login With Salesforce, Wordpress | 2026-04-02 | 9.1 Critical |
| The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email | ||||
| CVE-2026-2343 | 2 Peprodev Ultimate Invoice, Wordpress | 2 Peprodev Ultimate Invoice, Wordpress | 2026-04-02 | 5.3 Medium |
| The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII. | ||||
| CVE-2026-1542 | 2 Super Stage Wp, Wordpress | 2 Super Stage Wp, Wordpress | 2026-04-02 | 6.5 Medium |
| The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | ||||
| CVE-2026-1369 | 2 Conditional Captcha, Wordpress | 2 Conditional Captcha, Wordpress | 2026-04-02 | 4.3 Medium |
| The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | ||||
| CVE-2026-1235 | 2 Wordpress, Wp Ecommerce | 2 Wordpress, Wp Ecommerce | 2026-04-02 | 6.5 Medium |
| The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog. | ||||
| CVE-2026-1128 | 2 Wordpress, Wp-ecommerce | 2 Wordpress, Wp Ecommerce | 2026-04-02 | 4.3 Medium |
| The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | ||||
| CVE-2026-0829 | 2 Frontend File Manager Plugin, Wordpress | 2 Frontend File Manager Plugin, Wordpress | 2026-04-02 | 5.8 Medium |
| The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information. | ||||
| CVE-2025-9544 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.5 Medium |
| The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1). | ||||
| CVE-2025-6027 | 2 Acewebx, Wordpress | 2 Ace User Management, Wordpress | 2026-04-02 | 6.3 Medium |
| The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators. | ||||
| CVE-2025-15491 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.5 Medium |
| The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | ||||
| CVE-2025-15445 | 2 Restaurant Cafeteria, Wordpress | 2 Restaurant Cafeteria, Wordpress | 2026-04-02 | 5.4 Medium |
| The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings. | ||||
| CVE-2025-14892 | 2 Prime Listing Manager, Wordpress | 2 Prime Listing Manager, Wordpress | 2026-04-02 | 9.8 Critical |
| The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. | ||||
| CVE-2025-14829 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 9.1 Critical |
| The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-14316 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14313 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14312 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-13471 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | ||||