Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Filtered by product Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 7163 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-22267	1 Wordpress	1 Wordpress	2025-07-13	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bruce Wampler Weaver Themes Shortcode Compatibility allows Stored XSS. This issue affects Weaver Themes Shortcode Compatibility: from n/a through 1.0.4.
CVE-2025-26892	1 Wordpress	1 Wordpress	2025-07-13	9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in dkszone Celestial Aura allows Using Malicious Files.This issue affects Celestial Aura: from n/a through 2.2.
CVE-2025-22594	1 Wordpress	1 Wordpress	2025-07-13	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hccoder – Sándor Fodor Better User Shortcodes allows Reflected XSS.This issue affects Better User Shortcodes: from n/a through 1.0.
CVE-2024-9111	2 Pickplugins, Wordpress	2 Product Designer, Wordpress	2025-07-13	6.4 Medium
The Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2023-37984	2 Expresstech, Wordpress	2 Quiz And Survey Master, Wordpress	2025-07-13	4.3 Medium
Missing Authorization vulnerability in ExpressTech Quiz And Survey Master allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through 8.1.10.
CVE-2025-23584	1 Wordpress	1 Wordpress	2025-07-13	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Pin Locations on Map allows Reflected XSS. This issue affects Pin Locations on Map: from n/a through 1.0.
CVE-2024-35170	1 Wordpress	1 Wordpress	2025-07-13	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidden Depth Sticky banner allows Stored XSS.This issue affects Sticky banner: from n/a through 1.2.0.
CVE-2024-31086	1 Wordpress	1 Wordpress	2025-07-13	7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Change default login logo,url and title allows Cross-Site Scripting (XSS).This issue affects Change default login logo,url and title: from n/a through 2.0.
CVE-2023-32798	1 Wordpress	1 Wordpress	2025-07-13	5.3 Medium
Missing Authorization vulnerability in 10up Simple Page Ordering allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Page Ordering: from n/a through 2.5.0.
CVE-2024-31251	2 Peepso, Wordpress	2 Community By Peepso, Wordpress	2025-07-13	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Community by PeepSo.This issue affects Community by PeepSo: from n/a through 6.3.1.1.
CVE-2025-23585	1 Wordpress	1 Wordpress	2025-07-13	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo Goo.gl Url Shorter allows Reflected XSS. This issue affects Goo.gl Url Shorter: from n/a through 1.0.1.
CVE-2024-4575	2 Layerslider, Wordpress	2 Layerslider, Wordpress	2025-07-13	6.4 Medium
The LayerSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ls_search_form shortcode in version 7.11.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-32090	1 Wordpress	1 Wordpress	2025-07-13	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.0.27.
CVE-2024-30433	2 Multivendorx, Wordpress	2 Wc Marketplace, Wordpress	2025-07-13	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX WC Marketplace allows Stored XSS.This issue affects WC Marketplace: from n/a through 4.1.3.
CVE-2025-32633	1 Wordpress	1 Wordpress	2025-07-13	8.6 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset allows Path Traversal. This issue affects Database Toolset: from n/a through 1.8.4.
CVE-2025-49299	1 Wordpress	1 Wordpress	2025-07-13	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPlugged.com WebHotelier allows Stored XSS. This issue affects WebHotelier: from n/a through 1.9.2.
CVE-2025-31841	1 Wordpress	1 Wordpress	2025-07-13	6.3 Medium
Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FPW Category Thumbnails: from n/a through 1.9.5.
CVE-2025-2577	1 Wordpress	1 Wordpress	2025-07-13	6.4 Medium
The Bitspecter Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVE-2024-12523	1 Wordpress	1 Wordpress	2025-07-13	6.4 Medium
The States Map US plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'states_map' shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2023-46608	2 Wordpress, Wpdo	2 Wordpress, Dologin Security	2025-07-13	5.3 Medium
Missing Authorization vulnerability in WPDO DoLogin Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through 3.7.1.

« first previous Page 153 of 359. next last »