Export limit exceeded: 10762 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10762 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-14464 | 1 Wordpress | 1 Wordpress | 2026-01-14 | 5.3 Medium |
| The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials. | ||||
| CVE-2025-15020 | 2 Gothamdev, Wordpress | 2 Gotham Block Extra Light, Wordpress | 2026-01-14 | 6.5 Medium |
| The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-15266 | 1 Wordpress | 1 Wordpress | 2026-01-14 | 7.2 High |
| The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Chat History page. | ||||
| CVE-2025-15021 | 2 Gothamdev, Wordpress | 2 Gotham Block Extra Light, Wordpress | 2026-01-14 | 4.4 Medium |
| The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2013-2697 | 2 Lesterchan, Wordpress | 2 Wp-downloadmanager, Wordpress | 2026-01-14 | N/A |
| Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | ||||
| CVE-2025-49867 | 2 Inspirythemes, Wordpress | 2 Realhomes, Wordpress | 2026-01-14 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation. This issue affects RealHomes: from n/a through 4.4.0. | ||||
| CVE-2023-25039 | 2 Codepeople, Wordpress | 2 Google Maps Cp, Wordpress | 2026-01-14 | 4.3 Medium |
| Missing Authorization vulnerability in CodePeople Google Maps CP.This issue affects Google Maps CP: from n/a through 1.0.43. | ||||
| CVE-2025-14507 | 2 Metagauss, Wordpress | 2 Eventprime, Wordpress | 2026-01-14 | 5.3 Medium |
| The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names, email addresses, ticket details, payment information, and order keys when the API is enabled by an administrator. The vulnerability was partially patched in version 4.2.7.0. | ||||
| CVE-2026-0684 | 2 Codepeople, Wordpress | 2 Cp Image Store With Slideshow, Wordpress | 2026-01-14 | 4.3 Medium |
| The CP Image Store with Slideshow plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9 due to a logic error in the 'cpis_admin_init' function's permission check. This makes it possible for authenticated attackers, with Contributor-level access and above, to import arbitrary products via XML, if the XML file has already been uploaded to the server. | ||||
| CVE-2025-9427 | 2 Lemonsoft, Wordpress | 2 Wordpress Add-on, Wordpress | 2026-01-14 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | ||||
| CVE-2025-10915 | 1 Wordpress | 1 Wordpress | 2026-01-14 | 9.8 Critical |
| The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check. | ||||
| CVE-2025-14001 | 2 Ninjateam, Wordpress | 2 Wp Duplicate Page, Wordpress | 2026-01-14 | 5.4 Medium |
| The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate arbitrary posts, pages, and WooCommerce HPOS orders even when their role is explicitly excluded from the plugin's "Allowed User Roles" setting, potentially exposing sensitive information and allowing duplicate fulfillment of WooCommerce orders. | ||||
| CVE-2025-14829 | 1 Wordpress | 1 Wordpress | 2026-01-14 | 9.1 Critical |
| The E-xact | Hosted Payment | WordPress plugin through 2.0 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. | ||||
| CVE-2025-30610 | 2 Catchsquare, Wordpress | 2 Wp Social Widget, Wordpress | 2026-01-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS. This issue affects WP Social Widget: from n/a through 2.2.6. | ||||
| CVE-2024-27189 | 2 Catchsquare, Wordpress | 2 Wp Social Widget, Wordpress | 2026-01-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5. | ||||
| CVE-2023-37885 | 2 Inspirythemes, Wordpress | 2 Realhomes, Wordpress | 2026-01-13 | 4.3 Medium |
| Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2. | ||||
| CVE-2023-37886 | 2 Inspirythemes, Wordpress | 2 Realhomes, Wordpress | 2026-01-13 | 5.4 Medium |
| Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2. | ||||
| CVE-2025-11453 | 2 Anand Kumar, Wordpress | 2 Header And Footer Scripts, Wordpress | 2026-01-13 | 6.4 Medium |
| The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13854 | 2 Soniz, Wordpress | 2 Curved Text, Wordpress | 2026-01-13 | 6.4 Medium |
| The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13853 | 2 Lnbadmin1, Wordpress | 2 Nearby Now Reviews, Wordpress | 2026-01-13 | 6.4 Medium |
| The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||