Searching CVE for "wordpress"
The WP Frontend Profile WordPress plugin has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into approving or rejecting user registrations. This affects all version...
This vulnerability allows unauthenticated attackers to retrieve the HTML content of private, draft, or password-protected reusable blocks in WordPress. It affects all WordPress sites using the Greensh...
This CVE describes an open redirect vulnerability in the B2BKing Premium WordPress plugin that allows attackers to redirect users to malicious websites. Attackers can craft URLs that appear legitimate...
This DOM-based XSS vulnerability in the WordPress Preferred Languages plugin allows attackers to inject malicious scripts that execute in users' browsers when they visit compromised pages. It affects ...
The Greenshift WordPress plugin has a stored XSS vulnerability that allows authenticated attackers with Contributor access or higher to inject malicious scripts into pages. These scripts execute when ...
The WowOptin WordPress plugin allows authenticated attackers with Subscriber-level access or higher to install and activate arbitrary plugins without proper authorization. This vulnerability affects a...
The Database for Contact Form 7, WPforms, Elementor forms WordPress plugin is vulnerable to PHP Object Injection via deserialization of untrusted input in the 'download_csv' function. This allows unau...
The Page and Post Clone WordPress plugin contains a second-order SQL injection vulnerability in the content_clone() function. Authenticated attackers with Contributor-level access or higher can inject...
This vulnerability in the WordPress Restrict Content plugin allows unauthenticated attackers to register with any membership level, including inactive or paid levels that grant privileged WordPress ro...
This SQL injection vulnerability in the Apocalypse Meow WordPress plugin allows authenticated attackers with Administrator privileges to inject malicious SQL queries through the 'type' parameter. Atta...
The OoohBoi Steroids for Elementor WordPress plugin has a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers with Contributor-level access or higher to inject maliciou...
The Fluent Forms Pro WordPress plugin has a stored XSS vulnerability that allows unauthenticated attackers to inject malicious scripts into draft form submissions. These scripts execute when WordPress...
The Seraphinite Accelerator WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to clear the plugin's debug/operational logs. Thi...
The Gutena Forms WordPress plugin has an authorization vulnerability that allows authenticated users with Contributor-level access or higher to modify WordPress option values. This could enable attack...
This SQL injection vulnerability in the JS Help Desk WordPress plugin allows unauthenticated attackers to inject malicious SQL queries via a cookie parameter. Attackers can extract sensitive informati...
This SQL injection vulnerability in the WP-Members Membership Plugin for WordPress allows authenticated attackers with Contributor-level access or higher to inject malicious SQL queries via the 'order...
The Taskbuilder WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute w...
This Server-Side Request Forgery (SSRF) vulnerability in the PostX WordPress plugin allows authenticated attackers with Administrator privileges to make arbitrary web requests from the vulnerable serv...
The WPBookit WordPress plugin has a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When users visit compromised pages, the ...
This vulnerability allows unauthenticated attackers to create administrator accounts on WordPress sites using the User Registration & Membership plugin. Attackers can supply any role value during regi...
This vulnerability allows authenticated WordPress administrators to perform server-side request forgery (SSRF) attacks via the Uncanny Automator plugin's download_url() function. Attackers can make ar...
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any user, including admi...
This SQL injection vulnerability in the LatePoint WordPress plugin allows authenticated administrators to execute arbitrary SQL queries through JSON import functionality. Attackers can extract, modify...
This vulnerability allows authenticated attackers with Agent-level access in the LatePoint WordPress plugin to escalate privileges by linking customer accounts to arbitrary WordPress user IDs, includi...
This vulnerability allows unauthenticated attackers to view, modify, or delete the ChatGPT API key stored by the WordPress plugin. It affects all WordPress sites using the AI ChatBot with ChatGPT and ...
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to execute arbitrary code on servers running the Master Addons for Elementor Premium plugin. Attackers ca...
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability where administrators can inject persistent JavaScript via forum description fields. The malicious code executes when any user v...
CVE-2026-28562 is an unauthenticated SQL injection vulnerability in wpForo WordPress plugin versions 2.4.14 and earlier. Attackers can exploit the wpfob parameter to extract sensitive data like WordPr...
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers can submit a va...
This vulnerability in wpForo Forum allows authenticated users to reassign all forum user groups to arbitrary WordPress roles, enabling privilege escalation. Any WordPress site running the vulnerable w...
wpForo Forum 2.4.14 contains an information disclosure vulnerability where unauthenticated attackers can access private and unapproved forum topics through the global RSS feed endpoint. This affects a...
The Worry Proof Backup WordPress plugin contains a path traversal vulnerability that allows authenticated attackers with Subscriber-level access or higher to upload malicious ZIP archives containing p...
This vulnerability allows unauthenticated attackers to delete arbitrary user accounts that were recently created on WordPress sites using the affected plugin. Attackers exploit missing validation on t...
This vulnerability allows unauthenticated attackers to bypass authentication in WordPress sites using the User Registration & Membership plugin. Attackers can log in as newly registered users who have...
The Custom Logo WordPress plugin has a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts into admin settings. These scripts execute when us...
The TP2WP Importer WordPress plugin has a stored XSS vulnerability in all versions up to 1.1. Authenticated attackers with Administrator access can inject malicious scripts that execute when users vis...
This CVE describes a command injection vulnerability in WPGraphQL's GitHub Actions workflow that allows arbitrary command execution when merging pull requests from develop to master. Attackers can inj...
The WP Responsive Images WordPress plugin contains a path traversal vulnerability in the 'src' parameter that allows unauthenticated attackers to read arbitrary files on the server. This affects all v...
The Post Duplicator WordPress plugin allows authenticated attackers with Contributor-level access or higher to inject arbitrary protected post meta keys (starting with '_') when duplicating posts. Thi...
This CSRF vulnerability in the Disable Admin Notices WordPress plugin allows attackers to add arbitrary URLs to the blocked redirects list by tricking administrators into clicking malicious links. All...
The Geo Mashup WordPress plugin contains an SQL injection vulnerability in the 'sort' parameter that allows unauthenticated attackers to execute arbitrary SQL queries. This can lead to extraction of s...
The WPGSI: Spreadsheet Integration plugin for WordPress has critical REST API endpoints that lack proper authentication and authorization checks. Unauthenticated attackers can forge tokens using publi...
This stored XSS vulnerability in the Rise Blocks WordPress plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into website pages. When users visit comp...
This vulnerability in the Simple Ajax Chat WordPress plugin exposes sensitive system information to unauthorized users. Attackers can retrieve embedded sensitive data from affected installations. All ...
The ElementsKit Lite WordPress plugin versions before 3.7.9 expose an unauthenticated REST endpoint that accepts Mailchimp API credentials. Unauthenticated attackers can abuse this endpoint as an open...
This vulnerability allows unauthenticated attackers to manipulate email routing and redirection in the The Plus Addons for Elementor WordPress plugin. Attackers can trigger unauthorized email relay an...
The Conditional CAPTCHA WordPress plugin through version 4.0.0 contains an open redirect vulnerability that allows attackers to redirect users to malicious websites. This affects WordPress sites using...
The LearnPress Export Import WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to delete migrated course data. This affects all WordPress sites using the...
The weMail WordPress plugin up to version 2.0.7 allows unauthenticated attackers to permanently delete all email marketing forms. This occurs because the plugin validates only the REST API nonce witho...
This stored cross-site scripting (XSS) vulnerability in the PixelYourSite WordPress plugin allows attackers to inject malicious scripts that execute when other users view affected pages. It affects al...
This CVE describes a missing authorization vulnerability in the Print Invoice & Delivery Notes for WooCommerce plugin that allows attackers to bypass access controls. It affects WordPress sites using ...
This DOM-based cross-site scripting (XSS) vulnerability in the PhotoMe WordPress theme allows attackers to inject malicious scripts into web pages viewed by other users. It affects all PhotoMe theme i...
This path traversal vulnerability in Simple File List WordPress plugin allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running S...
This SQL injection vulnerability in Download Manager Addons for Elementor allows attackers to execute arbitrary SQL commands against the WordPress database. It affects all WordPress sites using this p...
This vulnerability allows attackers to inject malicious scripts into web pages generated by the Grand Conference WordPress theme. When users visit a specially crafted URL, the script executes in their...
This vulnerability allows attackers to include local files on the server through PHP's include/require statements in the Parkivia WordPress theme. Attackers can potentially read sensitive files or exe...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Blabber theme version...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the UnlimHost theme from ...
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in the PawFriends WordPress theme that allows attackers to bypass authorization by manipulating user-controlled keys. Attack...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Marveland theme installations, potent...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Isida theme from Anco...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Zio Alberto theme fro...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects Photolia WordPress theme users running version ...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP's include/require statements. It affects WordPress sites using the SevenTrees theme ve...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the Jude theme from versi...
This CVE describes a PHP Local File Inclusion vulnerability in the Redy WordPress theme by axiomthemes, allowing attackers to include arbitrary local files via improper filename control in include/req...
This CVE describes a Missing Authorization vulnerability in the WP FullCalendar WordPress plugin that allows attackers to exploit incorrectly configured access control security levels. It affects Word...
This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Dotstore Woocommerce Category Banner Management plugin. Attackers could execute arbitra...
This is a reflected cross-site scripting (XSS) vulnerability in the Link Whisper Free WordPress plugin. Attackers can inject malicious scripts via crafted URLs that execute when victims visit those li...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the FiveStar theme from M...
This CVE describes a PHP object injection vulnerability in the WordPress Slider Responsive Slideshow plugin, allowing attackers to execute arbitrary code through deserialization of untrusted data. It ...
This CVE describes a PHP Local File Inclusion vulnerability in the PJ | Life & Business Coaching WordPress theme. Attackers can include arbitrary local files through improper filename control in PHP i...
This CVE describes a PHP Local File Inclusion vulnerability in the Struktur WordPress theme. Attackers can include arbitrary local files through improper filename control in PHP include/require statem...
This vulnerability allows attackers to upload malicious files to WordPress sites using the Bravis Addons plugin. It affects all WordPress installations running Bravis Addons version 1.1.9 or earlier. ...
This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the ThemeREX Lorem Ipsum | Books & Media Store WordPress theme. Attackers could potentially...
This vulnerability allows attackers to include local PHP files through improper filename control in the ThemeREX Gable WordPress theme. Attackers can potentially read sensitive files or execute arbitr...
This CVE describes a PHP Local File Inclusion vulnerability in the ThemeREX Tint WordPress theme. Attackers can exploit improper filename control in include/require statements to read sensitive files ...
This CVE describes a PHP Local File Inclusion vulnerability in the ThemeREX Cobble WordPress theme. Attackers can include arbitrary local files through improper filename control in PHP include/require...
This vulnerability allows attackers to bypass authentication and spoof identities in the WooODT Lite WordPress plugin. It affects all WooCommerce sites using WooODT Lite version 2.5.2 or earlier, pote...
This CVE describes a PHP Local File Inclusion vulnerability in the Simple Retail Menus WordPress plugin. Attackers can include arbitrary local files from the server, potentially leading to sensitive i...
This vulnerability allows attackers to inject malicious scripts into web pages through the Visitor Maps Extended Referer Field WordPress plugin. When exploited, it enables reflected cross-site scripti...
This vulnerability allows attackers to inject malicious scripts into web pages generated by the Diamond WordPress theme, which are then executed in victims' browsers. It affects all WordPress sites us...
This CVE describes a missing authorization vulnerability in the Jthemes Exzo WordPress theme that allows attackers to bypass access controls. It affects all Exzo theme installations running version 1....
This CVE describes a PHP Local File Inclusion vulnerability in the WP Shop WordPress plugin. Attackers can include arbitrary local files through improper filename control in include/require statements...
This CVE describes a Missing Authorization vulnerability in the Cartify WordPress theme that allows unauthorized users to delete arbitrary content. The vulnerability affects WordPress sites using the ...
This path traversal vulnerability in the WordPress User Extra Fields plugin allows attackers to delete arbitrary files on the server. It affects all WordPress sites running User Extra Fields plugin ve...
This path traversal vulnerability in the WordPress 'Upload Files Anywhere' plugin allows attackers to delete arbitrary files on the server. It affects all WordPress sites using this plugin version 2.8...
This CVE describes a missing authorization vulnerability in the WooCommerce Bulk Product Editor plugin that allows attackers to exploit incorrectly configured access controls. Attackers could modify p...
This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users through DOM-based cross-site scripting (XSS) in the SOHO Photography WordPress theme. Attackers can...
This CVE describes a PHP object injection vulnerability in the KindlyCare WordPress theme where untrusted data can be deserialized, potentially allowing attackers to execute arbitrary code. The vulner...
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress sites using the VidoRev theme from un...
This CVE describes a PHP Local File Inclusion vulnerability in the SolverWp Portfolio Builder WordPress plugin. Attackers can exploit improper filename control in include/require statements to read se...
This CVE describes a PHP object injection vulnerability in the Jthemes Prestige WordPress theme, caused by insecure deserialization of untrusted data. Attackers can exploit this to execute arbitrary c...
This SQL injection vulnerability in the Wolmart Core WordPress plugin allows attackers to execute arbitrary SQL commands on affected databases. It affects all WordPress sites running Wolmart Core vers...
This SQL injection vulnerability in the TeconceTheme Emerce Core WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites running Emerce Core...
This SQL injection vulnerability in the Saasplate Core WordPress plugin allows attackers to execute arbitrary SQL commands against the database. It affects all WordPress sites using Saasplate Core ver...
This vulnerability allows attackers to include local PHP files through improper filename control in the PeakShops WordPress theme. Attackers can potentially read sensitive files or execute arbitrary c...
This stored cross-site scripting (XSS) vulnerability in the NEX-Forms WordPress plugin allows attackers to inject malicious scripts into web pages that are then executed when other users view those pa...
This vulnerability allows attackers to inject malicious scripts into web pages generated by the NEX-Forms WordPress plugin. When users visit a specially crafted URL containing the malicious script, th...
This CVE describes a missing authorization vulnerability in the ModelTheme Framework WordPress plugin that allows attackers to bypass access controls. It affects all WordPress sites using ModelTheme F...