Export limit exceeded: 359632 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13067 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13067 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-54721 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS.This issue affects Resca: from n/a through <= 3.0.2. | ||||
| CVE-2025-15516 | 2 Plugins360, Wordpress | 2 All-in-one Video Gallery, Wordpress | 2026-04-15 | 4.3 Medium |
| The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | ||||
| CVE-2025-14904 | 2 Anilankola, Wordpress | 2 Newsletter Email Subscribe, Wordpress | 2026-04-15 | 4.3 Medium |
| The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-67576 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through <= 8.8.3. | ||||
| CVE-2025-10307 | 2 Softaculous, Wordpress | 2 Backuply, Wordpress | 2026-04-15 | 6.5 Medium |
| The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2024-9211 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.22. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-49748 | 2 Wordpress, Wpserveur | 2 Wordpress, Wps Hide Login | 2026-04-15 | 3.7 Low |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in WPServeur, NicolasKulka, wpformation WPS Hide Login allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPS Hide Login: from n/a through 1.9.11. | ||||
| CVE-2025-14434 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones. | ||||
| CVE-2025-48111 | 2 Wordpress, Yithemes | 2 Wordpress, Yith Paypal Express Checkout For Woocommerce | 2026-04-15 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0. | ||||
| CVE-2023-49741 | 2 Wordpress, Wpdevart | 2 Wordpress, Coming Soon And Maintenance Mode | 2026-04-15 | 3.7 Low |
| Authentication Bypass by Spoofing vulnerability in wpdevart Coming soon and Maintenance mode allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming soon and Maintenance mode: from n/a through 3.7.3. | ||||
| CVE-2025-15520 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-04-15 | 4.3 Medium |
| The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. | ||||
| CVE-2024-4984 | 2 Wordpress, Yoast | 2 Wordpress, Yoast Seo | 2026-04-15 | 6.4 Medium |
| The Yoast SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ author meta in all versions up to, and including, 22.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10567 | 2 Funnelkit, Wordpress | 2 Funnel Builder, Wordpress | 2026-04-15 | 6.3 Medium |
| The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users. | ||||
| CVE-2025-10658 | 2 Supportcandy, Wordpress | 2 Supportcandy, Wordpress | 2026-04-15 | 6.5 Medium |
| The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limiting on the OTP verification for guest login. This makes it possible for unauthenticated attackers to bypass authentication and gain unauthorized access to customer support tickets by brute forcing the 6-digit OTP code. | ||||
| CVE-2020-36854 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possible for authenticated attackers with subscriber level permissions and above to inject malicious web scripts into a page that execute whenever a user accesses that page. | ||||
| CVE-2025-31634 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Insurance insurance allows Object Injection.This issue affects Insurance: from n/a through <= 3.5. | ||||
| CVE-2025-10684 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary . | ||||
| CVE-2024-30509 | 2 Artbees, Wordpress | 2 Sellkit, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Artbees SellKit allows Relative Path Traversal.This issue affects SellKit: from n/a through 1.8.1. | ||||
| CVE-2025-14973 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.8 Medium |
| The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | ||||
| CVE-2025-14975 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | ||||