Export limit exceeded: 341868 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 341868 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341868 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14892 | 2 Prime Listing Manager, Wordpress | 2 Prime Listing Manager, Wordpress | 2026-04-02 | 9.8 Critical |
| The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. | ||||
| CVE-2025-14829 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 9.1 Critical |
| The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-14316 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14313 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-14312 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.1 Medium |
| The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-13471 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | ||||
| CVE-2025-13071 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.1 High |
| The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13070 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.6 Medium |
| The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. | ||||
| CVE-2025-13001 | 2 Kieranoshea, Wordpress | 2 Donations, Wordpress | 2026-04-02 | 4.1 Medium |
| The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks | ||||
| CVE-2025-13000 | 2 Jimbob1953, Wordpress | 2 Db-access, Wordpress | 2026-04-02 | 7.7 High |
| The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | ||||
| CVE-2025-12820 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them. | ||||
| CVE-2025-12696 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them | ||||
| CVE-2025-12685 | 3 Iqonic, Iqonicdesign, Wordpress | 3 Wpbookit, Wpbookit, Wordpress | 2026-04-02 | 6.5 Medium |
| The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack. | ||||
| CVE-2025-12629 | 2 K-78, Wordpress | 2 Broken Link Manager, Wordpress | 2026-04-02 | 7.1 High |
| The Broken Link Manager WordPress plugin through 0.6.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-12573 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.5 Medium |
| The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | ||||
| CVE-2025-12502 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 6.8 Medium |
| The attention-bar WordPress plugin through 0.7.2.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users such as administrator to perform SQL injection attacks | ||||
| CVE-2025-11855 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 7.5 High |
| The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. | ||||
| CVE-2025-11237 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options. | ||||
| CVE-2025-11072 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 5.3 Medium |
| The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files. | ||||
| CVE-2025-10915 | 1 Wordpress | 1 Wordpress | 2026-04-02 | 9.8 Critical |
| The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | ||||