Filtered by vendor Wordpress
Subscriptions
Total
4967 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8685 | 2 Emilien, Wordpress | 2 Wp Chart Generator, Wordpress | 2025-08-13 | 6.4 Medium |
| The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4390 | 2 Nimeshrmr, Wordpress | 2 Wp Private Content Plus, Wordpress | 2025-08-13 | 5.3 Medium |
| The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages. | ||||
| CVE-2025-8690 | 2 Addix, Wordpress | 2 Simple Responsive Slider Plugin, Wordpress | 2025-08-13 | 6.4 Medium |
| The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-3075 | 2 Elementor, Wordpress | 6 Elementor, Elementor Page Builder, Elementor Website Builder and 3 more | 2025-08-13 | 6.4 Medium |
| The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled. | ||||
| CVE-2025-6238 | 2 Meowapps, Wordpress | 2 Ai Engine, Wordpress | 2025-08-13 | 8 High |
| The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5. | ||||
| CVE-2025-8068 | 3 Elementor, Hasthemes, Wordpress | 3 Elementor, Ht Mega, Wordpress | 2025-08-13 | 4.3 Medium |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash. | ||||
| CVE-2025-8151 | 3 Elementor, Hasthemes, Wordpress | 3 Elementor, Ht Mega, Wordpress | 2025-08-13 | 4.3 Medium |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS files in any directory, and delete CSS files in any directory in a Windows environment. | ||||
| CVE-2025-8401 | 3 Elementor, Hasthemes, Wordpress | 3 Elementor, Ht Mega, Wordpress | 2025-08-13 | 4.3 Medium |
| The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including the content of private, password-protected, and draft posts and pages. | ||||
| CVE-2025-5570 | 2 Meowapps, Wordpress | 2 Ai Engine, Wordpress | 2025-08-13 | 5.4 Medium |
| The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-4796 | 2 Themewinter, Wordpress | 2 Eventin, Wordpress | 2025-08-13 | 8.8 High |
| The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2025-7205 | 3 Givew, Givewp, Wordpress | 3 Donation Plugin And Fundraising Platform, Givewp, Wordpress | 2025-08-13 | 5.4 Medium |
| The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site. | ||||
| CVE-2025-5061 | 2 Vjinfotech, Wordpress | 2 Wp Import Export Lite, Wordpress | 2025-08-13 | 7.5 High |
| The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29. | ||||
| CVE-2025-8100 | 3 Bdthemes, Element Pack Elementor Addons Wordpress, Wordpress | 3 Element Pack, Element Pack Elementor Addons Wordpress, Wordpress | 2025-08-13 | 5.4 Medium |
| The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-30974 | 2 Addonmaster, Wordpress | 2 Post Grid Master, Wordpress | 2025-08-13 | 4.3 Medium |
| Missing Authorization vulnerability in Akhtarujjaman Shuvo Post Grid Master allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Post Grid Master: from n/a through 3.4.13. | ||||
| CVE-2025-8767 | 2 Anwp, Wordpress | 2 Football Leagues, Wordpress | 2025-08-12 | 4.8 Medium |
| The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | ||||
| CVE-2025-8418 | 1 Wordpress | 1 Wordpress | 2025-08-12 | 8.8 High |
| The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | ||||
| CVE-2025-47444 | 2 Liquidweb, Wordpress | 2 Givewp, Wordpress | 2025-08-12 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1. | ||||
| CVE-2025-8482 | 2 10up, Wordpress | 2 Simple Local Avatars, Wordpress | 2025-08-12 | 4.3 Medium |
| The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users. | ||||
| CVE-2024-11205 | 2 Wordpress, Wpforms | 2 Wordpress, Wpforms | 2025-08-12 | 8.5 High |
| The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions. | ||||
| CVE-2024-11349 | 2 Scriptsbundle, Wordpress | 2 Adforest, Wordpress | 2025-08-12 | 9.8 Critical |
| The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the sb_login_user_with_otp_fun() function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators. | ||||