Export limit exceeded: 13964 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (13964 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69408 2 Mikado-themes, Wordpress 2 Healthfirst, Wordpress 2026-04-15 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1.
CVE-2025-69409 2 Axiomthemes, Wordpress 2 Pj | Life & Business Coaching, Wordpress 2026-04-15 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0.
CVE-2025-7642 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.
CVE-2025-7695 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.
CVE-2025-7847 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible.
CVE-2025-8282 2 Sureforms, Wordpress 2 Sureforms, Wordpress 2026-04-15 3.5 Low
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.
CVE-2025-8489 2 Kingaddons, Wordpress 2 King Addons For Elementor, Wordpress 2026-04-15 9.8 Critical
The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
CVE-2025-9034 1 Wordpress 1 Wordpress 2026-04-15 6.1 Medium
The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
CVE-2025-9115 2 Etsy Shop Project, Wordpress 2 Etsy Shop, Wordpress 2026-04-15 5.6 Medium
The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
CVE-2025-9541 1 Wordpress 1 Wordpress 2026-04-15 4.7 Medium
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2025-9218 4 Bbpress, Buddypress, Rtcamp and 1 more 4 Bbpress, Buddypress, Rtmedia and 1 more 2026-04-15 3.7 Low
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
CVE-2025-9487 2 Wordpress, Wpase 2 Wordpress, Admin And Site Enhancements 2026-04-15 4.7 Medium
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads
CVE-2025-9561 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-9587 1 Wordpress 1 Wordpress 2026-04-15 8.6 High
The CTL Behance Importer Lite WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVE-2025-9710 2 Dfactory, Wordpress 2 Responsive Lightbox & Gallery, Wordpress 2026-04-15 6.3 Medium
The Responsive Lightbox & Gallery WordPress plugin before 2.5.3 does not properly handle HTML tag attributes modifications, potentially allowing unauthenticated attackers to abuse the functionality to include event handlers and conduct Stored XSS attacks.
CVE-2025-53297 3 Aa-team, Woocommerce, Wordpress 3 Woocommerce Envato Affiliates, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
CVE-2025-53283 2 Borisolhor, Wordpress 2 Drop Uploader For Cf7, Wordpress 2026-04-15 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows Upload a Web Shell to a Web Server.This issue affects Drop Uploader for CF7 - Drag&Drop File Uploader Addon: from n/a through <= 2.4.1.
CVE-2025-53237 2 Soflyy, Wordpress 2 Wp Wizard Cloak, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.
CVE-2025-53236 1 Wordpress 1 Wordpress 2026-04-15 6.3 Medium
Missing Authorization vulnerability in AndonDesign UDesign Core u-design-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UDesign Core: from n/a through <= 4.14.0.
CVE-2025-53234 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AndonDesign UDesign Core u-design-core allows Reflected XSS.This issue affects UDesign Core: from n/a through <= 4.14.0.