Export limit exceeded: 343363 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343363 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11733 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 7.2 High |
| The Footnotes Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11705 | 2 Anti-malware Security And Brute-force Firewall Project, Wordpress | 2 Anti-malware Security And Brute-force Firewall, Wordpress | 2026-04-08 | 6.5 Medium |
| The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-11522 | 2 Elated-themes, Wordpress | 2 Search And Go Directory, Wordpress | 2026-04-08 | 9.8 Critical |
| The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled. CVE-2025-62064 is likely a duplicate of this CVE. | ||||
| CVE-2025-11453 | 2 Anand Kumar, Wordpress | 2 Header And Footer Scripts, Wordpress | 2026-04-08 | 6.4 Medium |
| The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-11379 | 2 Roselldk, Wordpress | 2 Webp Express, Wordpress | 2026-04-08 | 5.3 Medium |
| The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data. | ||||
| CVE-2025-11361 | 2 Wordpress, Wpdevteam | 2 Wordpress, Gutenberg Essential Blocks | 2026-04-08 | 6.4 Medium |
| The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.7.1 via the eb_save_ai_generated_image function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-10850 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. This is due to the hardcoded password in the 'fb_ajax_login_or_register' function and in the 'google_ajax_login_or_register' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they registered with facebook or google social login and did not change their password. CVE-2025-23504 is likely a duplicate of this issue. | ||||
| CVE-2025-10749 | 2 10up, Wordpress | 2 Microsoft Azure Storage For Wordpress, Wordpress | 2026-04-08 | 5.4 Medium |
| The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users. | ||||
| CVE-2025-10682 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.5 Medium |
| The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject additional SQL into queries and extract sensitive information from the database via a crafted id attribute in the 'tariffuxx_configurator' shortcode. | ||||
| CVE-2025-10583 | 2 Emrevona, Wordpress | 2 Wp Fastest Cache, Wordpress | 2026-04-08 | 3.5 Low |
| The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The free version is not affected. | ||||
| CVE-2025-10486 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 5.3 Medium |
| The Content Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.8 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | ||||
| CVE-2025-10175 | 2 Rico Macchi, Wordpress | 2 Wp Links Page, Wordpress | 2026-04-08 | 6.5 Medium |
| The WP Links Page plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 4.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-10141 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 6.4 Medium |
| The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-10047 | 2 Pmbaldha, Wordpress | 2 Email Tracker, Wordpress | 2026-04-08 | 4.9 Medium |
| The Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-0957 | 2026-04-08 | 7.2 High | ||
| The SMTP for Amazon SES – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0953 | 1 Yaycommerce | 1 Yaysmtp | 2026-04-08 | 7.2 High |
| The SMTP for Sendinblue – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0918 | 1 Yaycommerce | 1 Yaysmtp | 2026-04-08 | 7.2 High |
| The SMTP for SendGrid – YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-0860 | 1 Vruiz | 1 Vr-frases | 2026-04-08 | 6.1 Medium |
| The VR-Frases (collect & share quotes) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2025-22636 appears to be a duplicate of this issue. | ||||
| CVE-2025-0810 | 2026-04-08 | 7.5 High | ||
| The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.7. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-0181 | 1 Wordpress | 1 Wordpress | 2026-04-08 | 9.8 Critical |
| The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.8. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account. | ||||