Wordpress CVEs and Security Vulnerabilities

Filtered by vendor Wordpress Subscriptions

Search

Switch to Advanced Search (Beta)

Total 9088 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-0831	2 Wordpress, Wpdevteam	2 Wordpress, Templately	2026-01-13	5.3 Medium
The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory.
CVE-2025-64634	2 Theme-fusion, Wordpress	2 Avada, Wordpress	2026-01-12	8.8 High
Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.1.
CVE-2026-0676	1 Wordpress	1 Wordpress	2026-01-12	5.3 Medium
Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.
CVE-2026-0674	2 Campaign Monitor, Wordpress	2 For Wordpress, Wordpress	2026-01-12	4.3 Medium
Missing Authorization vulnerability in Campaign Monitor Campaign Monitor for WordPress forms-for-campaign-monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Campaign Monitor for WordPress: from n/a through <= 2.9.0.
CVE-2025-69169	2 Noor Alam, Wordpress	2 Easy Media Download, Wordpress	2026-01-12	5.4 Medium
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
CVE-2025-58192	3 Wordpress, Xylus Themes, Xylusthemes	3 Wordpress, Wp Bulk Delete, Wp Bulk Delete	2026-01-12	4.3 Medium
Missing Authorization vulnerability in Xylus Themes WP Bulk Delete allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bulk Delete: from n/a through 1.3.6.
CVE-2024-37103	2 Rarathemes, Wordpress	2 Education Zone, Wordpress	2026-01-12	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Education Zone allows Cross Site Request Forgery.This issue affects Education Zone: from n/a through 1.3.4.
CVE-2024-37104	2 Rarathemes, Wordpress	2 Chic, Wordpress	2026-01-12	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Chic Lite allows Cross Site Request Forgery.This issue affects Chic Lite: from n/a through 1.1.3.
CVE-2025-31643	2 Dasinfomedia, Wordpress	2 Wpchurch Church Management System, Wordpress	2026-01-12	8.8 High
Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0.
CVE-2026-0675	1 Wordpress	1 Wordpress	2026-01-12	N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2025-14984	2 Jegstudio, Wordpress	2 Gutenverse, Wordpress	2026-01-12	6.4 Medium
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
CVE-2024-37102	2 Blossomthemes, Wordpress	2 Vilva, Wordpress	2026-01-12	4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through 1.2.2.
CVE-2024-38703	2 Wordpress, Xylusthemes	2 Wordpress, Wp Event Aggregator	2026-01-12	6.5 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Xylus Themes WP Event Aggregator allows Stored XSS.This issue affects WP Event Aggregator: from n/a through 1.7.9.
CVE-2025-62751	2 Extendthemes, Wordpress	2 Vireo, Wordpress	2026-01-12	4.3 Medium
Missing Authorization vulnerability in Extend Themes Vireo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vireo: from n/a through 1.0.24.
CVE-2025-62992	2 Everestthemes, Wordpress	2 Everest Backup, Wordpress	2026-01-12	6.5 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Everest themes Everest Backup allows Path Traversal.This issue affects Everest Backup: from n/a through 2.3.9.
CVE-2024-32531	2 Everestthemes, Wordpress	2 Gucherry Blog, Wordpress	2026-01-12	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Everest themes GuCherry Blog allows Reflected XSS.This issue affects GuCherry Blog: from n/a through 1.1.8.
CVE-2024-44010	2 Catchthemes, Wordpress	2 Full Frame, Wordpress	2026-01-12	5.1 Medium
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Catch Themes Full frame allows Stored XSS.This issue affects Full frame: from n/a through 2.7.2.
CVE-2025-67543	2 Catchthemes, Wordpress	2 Essential Widgets, Wordpress	2026-01-12	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2.
CVE-2025-60047	2 Axiomthemes, Wordpress	2 Ipharm, Wordpress	2026-01-09	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes IPharm ipharm allows PHP Local File Inclusion.This issue affects IPharm: from n/a through <= 1.2.3.
CVE-2025-60046	2 Axiomthemes, Wordpress	2 Heartstar, Wordpress	2026-01-09	8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes HeartStar heartstar allows PHP Local File Inclusion.This issue affects HeartStar: from n/a through <= 1.0.14.

« first previous Page 7 of 455. next last »