Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
6956 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-64296 | 3 Facebook, Woocommerce, Wordpress | 3 Facebook For Woocommerce, Woocommerce, Wordpress | 2025-10-30 | 5.3 Medium |
| Missing Authorization vulnerability in Facebook Facebook for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Facebook for WooCommerce: from n/a through 3.5.7. | ||||
| CVE-2025-10145 | 2 Themeisle, Wordpress | 2 Auto Featured Image, Wordpress | 2025-10-30 | 7.7 High |
| The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On Cloud instances, this issue allows for metadata retrieval. | ||||
| CVE-2025-11705 | 2 Anti-malware Security And Brute-force Firewall Project, Wordpress | 2 Anti-malware Security And Brute-force Firewall, Wordpress | 2025-10-30 | 6.5 Medium |
| The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-4665 | 2 Arshid, Wordpress | 2 Wordpress Contact Form Cfdb7, Wordpress | 2025-10-30 | 9.6 Critical |
| WordPress plugin Contact Form CFDB7 versions up to and including 1.3.2 are affected by a pre-authentication SQL injection vulnerability that cascades into insecure deserialization (PHP Object Injection). The weakness arises due to insufficient validation of user input in plugin endpoints, allowing crafted input to influence backend queries in unexpected ways. Using specially crafted payloads, this can escalate into unsafe deserialization, enabling arbitrary object injection in PHP. Although the issue is remotely exploitable without authentication, it does require a crafted interaction with the affected endpoint in order to trigger successfully. | ||||
| CVE-2025-49042 | 2 Automattic, Wordpress | 2 Woocommerce, Wordpress | 2025-10-30 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2. | ||||
| CVE-2025-11735 | 2 Realmag777, Wordpress | 2 Husky, Wordpress | 2025-10-30 | 7.5 High |
| The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to blind SQL Injection via the `phrase` parameter in all versions up to, and including, 1.3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-57931 | 2 Ays-pro, Wordpress | 2 Popup Box, Wordpress | 2025-10-30 | 5.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through 5.5.4. | ||||
| CVE-2023-7320 | 2 Automattic, Wordpress | 2 Woocommerce, Wordpress | 2025-10-30 | 5.3 Medium |
| The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information). | ||||
| CVE-2025-60075 | 2 Allegro Marketing, Wordpress | 2 Hpb Seo Plugin For Wordpress, Wordpress | 2025-10-30 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Allegro Marketing hpb seo plugin for WordPress hpbseo allows Reflected XSS.This issue affects hpb seo plugin for WordPress: from n/a through <= 3.0.1. | ||||
| CVE-2025-64202 | 1 Wordpress | 1 Wordpress | 2025-10-30 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TieLabs Sahifa sahifa allows DOM-Based XSS.This issue affects Sahifa: from n/a through < 5.8.6. | ||||
| CVE-2025-11632 | 2 Jgrietveld, Wordpress | 2 Call Now Button, Wordpress | 2025-10-30 | 4.3 Medium |
| The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in version 1.5.5 | ||||
| CVE-2025-11587 | 1 Wordpress | 1 Wordpress | 2025-10-30 | 4.3 Medium |
| The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key. | ||||
| CVE-2025-9544 | 1 Wordpress | 1 Wordpress | 2025-10-30 | 6.5 Medium |
| The Doppler Forms WordPress plugin through 2.5.1 registers an AJAX action install_extension without verifying user capabilities or using a nonce. As a result, any authenticated user — including those with the Subscriber role — can install and activate additional Doppler Forms WordPress plugin through 2.5.1 (limited to those whitelisted by the main Doppler Forms WordPress plugin through 2.5.1). | ||||
| CVE-2025-64288 | 2 Premmerce, Wordpress | 2 Premmerce, Wordpress | 2025-10-30 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce premmerce allows Cross Site Request Forgery.This issue affects Premmerce: from n/a through <= 1.3.19. | ||||
| CVE-2015-10146 | 2 Nik00726, Wordpress | 2 Thumbnail Slider With Lightbox, Wordpress | 2025-10-30 | 4.9 Medium |
| The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-64211 | 2 Stylemixthemes, Wordpress | 2 Masterstudy Elementor Widgets, Wordpress | 2025-10-30 | 5.3 Medium |
| Missing Authorization vulnerability in StylemixThemes Masterstudy Elementor Widgets masterstudy-elementor-widgets allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy Elementor Widgets: from n/a through <= 1.2.4. | ||||
| CVE-2025-58939 | 1 Wordpress | 1 Wordpress | 2025-10-30 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in highwarden Super Store Finder superstorefinder-wp allows Cross Site Request Forgery.This issue affects Super Store Finder: from n/a through <= 7.5. | ||||
| CVE-2025-11881 | 2 Apppresser, Wordpress | 2 Apppresser, Wordpress | 2025-10-30 | 5.3 Medium |
| The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components. | ||||
| CVE-2025-64234 | 2 Evergreencontentposter, Wordpress | 2 Evergreen Content Poster, Wordpress | 2025-10-30 | 4.3 Medium |
| Missing Authorization vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5. | ||||
| CVE-2025-64290 | 3 Premmerce, Woocommerce, Wordpress | 4 Premmerce, Product Search For Woocommerce, Woocommerce and 1 more | 2025-10-30 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Cross Site Request Forgery.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4. | ||||