Export limit exceeded: 14142 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (14142 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-5428 | 2 Wordpress, Wproyal | 2 Wordpress, Royal Addons For Elementor – Addons And Templates Kit For Elementor | 2026-04-27 | 6.4 Medium |
| The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget. | ||||
| CVE-2025-10915 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 9.8 Critical |
| The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | ||||
| CVE-2025-14829 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 9.1 Critical |
| The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-12573 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 6.5 Medium |
| The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | ||||
| CVE-2025-13471 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 5.3 Medium |
| The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | ||||
| CVE-2025-14892 | 2 Prime Listing Manager, Wordpress | 2 Prime Listing Manager, Wordpress | 2026-04-27 | 9.8 Critical |
| The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. | ||||
| CVE-2025-58922 | 2 Theme-fusion, Wordpress | 2 Avada, Wordpress | 2026-04-27 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada allows Cross Site Request Forgery.This issue affects Avada: from n/a before 7.13.2. | ||||
| CVE-2025-69347 | 2 Convers Lab, Wordpress | 2 Wpsubscription, Wordpress | 2026-04-27 | 8.6 High |
| Authorization Bypass Through User-Controlled Key vulnerability in Convers Lab WPSubscription subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSubscription: from n/a through <= 1.8.10. | ||||
| CVE-2025-69097 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal.This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | ||||
| CVE-2025-69039 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion.This issue affects Bailly: from n/a through <= 1.3.4. | ||||
| CVE-2025-69043 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion.This issue affects Rashy: from n/a through <= 1.1.3. | ||||
| CVE-2025-69042 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5. | ||||
| CVE-2025-69027 | 2 Tychesoftwares, Wordpress | 2 Product Delivery Date For Woocommerce Lite, Wordpress | 2026-04-27 | 5.3 Medium |
| Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce – Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce – Lite: from n/a through <= 3.2.0. | ||||
| CVE-2025-69040 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion.This issue affects Bfres: from n/a through <= 1.2.1. | ||||
| CVE-2025-49994 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6. | ||||
| CVE-2025-49949 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 5.4 Medium |
| Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2. | ||||
| CVE-2025-49952 | 2 Favethemes, Wordpress | 2 Houzez, Wordpress | 2026-04-27 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in favethemes Houzez houzez allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Houzez: from n/a through <= 4.2.5. | ||||
| CVE-2025-49935 | 2 Wordpress, Xtemos | 2 Wordpress, Woodmart | 2026-04-27 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in xtemos WoodMart woodmart allows PHP Local File Inclusion.This issue affects WoodMart: from n/a through < 8.3.2. | ||||
| CVE-2025-49931 | 1 Wordpress | 1 Wordpress | 2026-04-27 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetSearch jet-search allows Blind SQL Injection.This issue affects JetSearch: from n/a through <= 3.5.10. | ||||
| CVE-2025-49926 | 2 Laborator, Wordpress | 2 Kalium, Wordpress | 2026-04-27 | 7.2 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25. | ||||