Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
7115 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8145 | 2 Querysol, Wordpress | 2 Redirection For Contact Form 7, Wordpress | 2025-08-24 | 8.8 High |
| The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible | ||||
| CVE-2025-48158 | 2 Buddypress, Wordpress | 2 Buddypress, Wordpress | 2025-08-24 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1. | ||||
| CVE-2025-53987 | 2 Crocoblock, Wordpress | 2 Jetelements, Wordpress | 2025-08-24 | 6.5 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetMenu allows Retrieve Embedded Sensitive Data. This issue affects JetMenu: from n/a through 2.4.11.1. | ||||
| CVE-2025-54053 | 2 Groundhogg, Wordpress | 2 Groundhogg, Wordpress | 2025-08-24 | 6.6 Medium |
| Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2. | ||||
| CVE-2025-48165 | 2 Delucks, Wordpress | 2 Delucks Seo, Wordpress | 2025-08-24 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO allows Privilege Escalation. This issue affects DELUCKS SEO: from n/a through 2.6.0. | ||||
| CVE-2025-48157 | 2 Giorgi, Wordpress | 2 Formality, Wordpress | 2025-08-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion. This issue affects Formality: from n/a through 1.5.9. | ||||
| CVE-2025-54040 | 2 Webba-booking, Wordpress | 2 Webba Booking, Wordpress | 2025-08-24 | 6.5 Medium |
| Missing Authorization vulnerability in Webba Appointment Booking Webba Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Webba Booking: from n/a through 5.1.20. | ||||
| CVE-2025-54034 | 2 Tribulant, Wordpress | 2 Newsletters, Wordpress | 2025-08-24 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion. This issue affects Newsletters: from n/a through 4.10. | ||||
| CVE-2025-54012 | 2 Welcart, Wordpress | 2 E-commerce, Wordpress | 2025-08-24 | 7.2 High |
| Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection. This issue affects Welcart e-Commerce: from n/a through 2.11.16. | ||||
| CVE-2025-54025 | 2 Relywp, Wordpress | 2 Coupon Affiliates, Wordpress | 2025-08-24 | 6.5 Medium |
| Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Coupon Affiliates: from n/a through 6.4.0. | ||||
| CVE-2025-54032 | 2 Webcodingplace, Wordpress | 2 Real Estate Manager, Wordpress | 2025-08-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Real Estate Manager Pro allows Reflected XSS. This issue affects Real Estate Manager Pro: from n/a through 12.7.3. | ||||
| CVE-2025-53988 | 2 Crocoblock, Wordpress | 2 Jettabs For Elementor, Wordpress | 2025-08-24 | 6.5 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetBlocks For Elementor allows Retrieve Embedded Sensitive Data. This issue affects JetBlocks For Elementor: from n/a through 1.3.18. | ||||
| CVE-2025-57892 | 2 Jeff Starr, Wordpress | 2 Simple Statistics For Feeds, Wordpress | 2025-08-23 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds allows Cross Site Request Forgery. This issue affects Simple Statistics for Feeds: from n/a through 20250322. | ||||
| CVE-2025-53251 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a before 7.2. | ||||
| CVE-2025-8281 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 7.1 High |
| The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users. | ||||
| CVE-2025-57896 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 5.3 Medium |
| Missing Authorization vulnerability in andy_moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Church Admin: from n/a through 5.0.26. | ||||
| CVE-2025-57885 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel Fluent Support allows Cross Site Request Forgery. This issue affects Fluent Support: from n/a through 1.9.1. | ||||
| CVE-2025-57884 | 2 Wordpress, Wpsoul | 2 Wordpress, Greenshift | 2025-08-23 | 4.3 Medium |
| Missing Authorization vulnerability in wpsoul Greenshift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Greenshift: from n/a through 12.1.1. | ||||
| CVE-2025-9331 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 4.3 Medium |
| The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site. | ||||
| CVE-2025-57890 | 1 Wordpress | 1 Wordpress | 2025-08-23 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0. | ||||