Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2025-14457 LOW PATCH Monitor

Drag and Drop Multiple File Upload for Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 3.7).

WordPress PHP
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-14448 MEDIUM PATCH This Month

WP-Members Membership Plugin (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 5.4).

WordPress XSS Wp Members PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12166 HIGH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0813 MEDIUM This Month

Stored XSS in the WordPress Short Link plugin through versions 1.0 allows authenticated administrators to inject malicious scripts via the short_link_post_title and short_link_page_title parameters due to insufficient input sanitization. When users access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, potentially compromising their sessions or data. No patch is currently available; mitigation requires disabling or removing the affected plugin.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0812 MEDIUM This Month

Stored cross-site scripting in the LinkedIn SC WordPress plugin through version 1.1.9 allows authenticated administrators to inject malicious scripts via insufficiently sanitized plugin settings that execute for all users visiting affected pages. The vulnerability requires high privilege administrator access to exploit and currently lacks an available patch. Attack complexity is high and impact is limited to confidentiality and integrity, with no availability impact.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0741 MEDIUM This Month

Electric Studio Download Counter (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0739 MEDIUM This Month

Stored XSS in WMF Mobile Redirector plugin for WordPress up to version 1.2 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors. The vulnerability stems from inadequate input sanitization and output escaping, enabling privilege abuse by high-level account holders. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0734 MEDIUM This Month

Stored XSS in WP Allowed Hosts plugin through 1.0.8 allows authenticated administrators to inject malicious scripts via the 'allowed-hosts' parameter on multi-site WordPress installations or those with disabled unfiltered_html. Affected administrators can execute arbitrary JavaScript that persists and runs for all users accessing injected pages. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15513 MEDIUM This Month

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. [CVSS 5.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15512 MEDIUM This Month

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. [CVSS 5.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15475 MEDIUM This Month

PayHere Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 2.3.9. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15376 MEDIUM This Month

Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14846 MEDIUM This Month

SocialChamp with WordPress (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14770 HIGH This Week

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14173 MEDIUM This Month

Perfit WooCommerce (WordPress plugin) versions up to 1.0.1. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0717 MEDIUM This Month

Unauthenticated attackers can retrieve LottieFiles account credentials including API tokens and email addresses from the LottieFiles - Lottie block for Gutenberg WordPress plugin (versions up to 3.0.0) through an exposed REST API endpoint when account sharing is enabled. This information disclosure vulnerability affects site owners who have configured the plugin to share LottieFiles credentials across WordPress users. No patch is currently available.

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0694 MEDIUM This Month

Stored XSS in the SearchWiz WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts into post titles that execute when other users view search results. The vulnerability stems from improper output escaping using esc_attr() instead of esc_html() when rendering post titles in search functionality. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0680 MEDIUM This Month

Stored XSS in Real Post Slider Lite WordPress plugin through version 2.4 allows authenticated administrators to inject malicious scripts into plugin settings that execute for other users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0678 MEDIUM This Month

Flat Shipping Rate by City for WooCommerce (WordPress plugin) is affected by sql injection (CVSS 4.9).

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-0635 MEDIUM This Month

The Responsive Accordion Slider plugin for WordPress up to version 1.2.2 fails to validate user permissions on image metadata modification functions, allowing authenticated contributors and higher-privileged users to alter slider images, titles, descriptions, alt text, and associated links. This capability check bypass affects all installations using the vulnerable plugin versions and requires only valid WordPress login credentials to exploit.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0594 MEDIUM POC This Month

Reflected XSS in WordPress List Site Contributors plugin up to version 1.1.8 allows unauthenteric attackers to inject malicious scripts through the 'alpha' parameter due to inadequate input sanitization. Successful exploitation requires social engineering to trick users into clicking malicious links, potentially compromising user sessions and site integrity. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2025-15486 MEDIUM This Month

The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]

WordPress XSS Path Traversal PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15378 HIGH This Week

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15377 MEDIUM This Month

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15283 HIGH This Week

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15266 HIGH This Week

The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-15021 MEDIUM This Month

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15020 MEDIUM This Month

Gotham Block Extra Light (WordPress plugin) versions up to 1.5.0 is affected by path traversal (CVSS 6.5).

WordPress Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-14880 MEDIUM This Month

Netcash WooCommerce Payment Gateway (WordPress plugin) versions up to 4.1.3. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14854 MEDIUM This Month

WP-CRM System (WordPress plugin) versions up to 3.4.5. is affected by missing authorization (CVSS 5.4).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14725 MEDIUM This Month

The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14615 HIGH This Week

The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]

WordPress PHP SQLi CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-14613 HIGH This Week

The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]

WordPress SSRF PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14502 CRITICAL Act Now

News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.

WordPress PHP LFI
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-14482 MEDIUM This Month

Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).

WordPress Industrial PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14464 MEDIUM This Month

The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accou...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14389 MEDIUM This Month

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14379 MEDIUM This Month

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14301 CRITICAL Act Now

Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.

WordPress PHP Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13627 MEDIUM This Month

The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-12178 MEDIUM This Month

The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0684 MEDIUM This Month

CP Image Store with Slideshow (WordPress plugin) versions up to 1.1.9 is affected by incorrect authorization (CVSS 4.3).

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9427 This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1.

WordPress XSS PHP
NVD
EPSS
0.0%
CVE-2025-14507 MEDIUM This Month

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14001 MEDIUM This Month

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14829 CRITICAL Act Now

E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.

WordPress PHP
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-10915 CRITICAL Act Now

Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.

WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-14579 MEDIUM This Month

Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).

WordPress XSS PHP
NVD WPScan
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-13393 MEDIUM This Month

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]

WordPress SSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12379 MEDIUM This Month

Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14555 MEDIUM This Month

The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14506 MEDIUM This Month

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0831 MEDIUM This Month

Templately (WordPress plugin) versions up to 3.4.8. is affected by incorrect authorization (CVSS 5.3).

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14976 MEDIUM This Month

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14948 MEDIUM This Month

miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14943 MEDIUM This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13457 HIGH This Week

WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2020-36875 This Week

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.

WordPress PHP RCE
NVD WPScan
EPSS
0.1%
CVE-2025-14172 MEDIUM This Month

WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13967 MEDIUM This Month

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13908 MEDIUM This Month

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13903 MEDIUM This Month

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13897 MEDIUM This Month

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13893 MEDIUM This Month

The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13892 MEDIUM This Month

The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13862 MEDIUM This Month

The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13854 MEDIUM This Month

The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13852 MEDIUM This Month

The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13717 MEDIUM This Month

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13704 MEDIUM This Month

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13701 MEDIUM This Month

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-11453 MEDIUM This Month

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13900 MEDIUM This Month

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13895 MEDIUM This Month

The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13853 MEDIUM This Month

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13729 MEDIUM This Month

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0627 MEDIUM This Month

Stored XSS in the AMP for WP WordPress plugin (versions up to 1.1.10) allows authenticated users with Author privileges or higher to execute arbitrary JavaScript by uploading malicious SVG files with event handlers and animation attributes that bypass incomplete script tag filtering. The injected payload executes in the browsers of any user viewing the uploaded file, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14937 HIGH This Week

Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14741 CRITICAL Act Now

Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.

WordPress PHP
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-14657 HIGH This Week

The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]

WordPress PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14146 MEDIUM This Month

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13935 MEDIUM This Month

eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13934 MEDIUM This Month

eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13753 MEDIUM This Month

The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13628 MEDIUM This Month

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0563 MEDIUM This Month

Stored cross-site scripting in the WP Google Street View & Google Maps plugin for WordPress versions up to 1.1.8 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wpgsv_map' shortcode due to inadequate input sanitization, enabling arbitrary code execution when visitors access affected pages. The vulnerability requires authenticated access and has no available patch as of this report.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15057 HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15055 HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-15019 MEDIUM This Month

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14980 MEDIUM This Month

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. [CVSS 6.5 MEDIUM]

WordPress Information Disclosure AI / ML PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Drag and Drop Multiple File Upload for Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 3.7).

WordPress PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

WP-Members Membership Plugin (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 5.4).

WordPress XSS Wp Members +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in the WordPress Short Link plugin through versions 1.0 allows authenticated administrators to inject malicious scripts via the short_link_post_title and short_link_page_title parameters due to insufficient input sanitization. When users access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, potentially compromising their sessions or data. No patch is currently available; mitigation requires disabling or removing the affected plugin.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored cross-site scripting in the LinkedIn SC WordPress plugin through version 1.1.9 allows authenticated administrators to inject malicious scripts via insufficiently sanitized plugin settings that execute for all users visiting affected pages. The vulnerability requires high privilege administrator access to exploit and currently lacks an available patch. Attack complexity is high and impact is limited to confidentiality and integrity, with no availability impact.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Electric Studio Download Counter (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WMF Mobile Redirector plugin for WordPress up to version 1.2 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors. The vulnerability stems from inadequate input sanitization and output escaping, enabling privilege abuse by high-level account holders. A patch is not currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in WP Allowed Hosts plugin through 1.0.8 allows authenticated administrators to inject malicious scripts via the 'allowed-hosts' parameter on multi-site WordPress installations or those with disabled unfiltered_html. Affected administrators can execute arbitrary JavaScript that persists and runs for all users accessing injected pages. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. [CVSS 5.3 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. [CVSS 5.3 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

PayHere Payment Gateway Plugin for WooCommerce (WordPress plugin) versions up to 2.3.9. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SocialChamp with WordPress (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Perfit WooCommerce (WordPress plugin) versions up to 1.0.1. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can retrieve LottieFiles account credentials including API tokens and email addresses from the LottieFiles - Lottie block for Gutenberg WordPress plugin (versions up to 3.0.0) through an exposed REST API endpoint when account sharing is enabled. This information disclosure vulnerability affects site owners who have configured the plugin to share LottieFiles credentials across WordPress users. No patch is currently available.

WordPress Information Disclosure
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the SearchWiz WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts into post titles that execute when other users view search results. The vulnerability stems from improper output escaping using esc_attr() instead of esc_html() when rendering post titles in search functionality. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored XSS in Real Post Slider Lite WordPress plugin through version 2.4 allows authenticated administrators to inject malicious scripts into plugin settings that execute for other users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Flat Shipping Rate by City for WooCommerce (WordPress plugin) is affected by sql injection (CVSS 4.9).

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Responsive Accordion Slider plugin for WordPress up to version 1.2.2 fails to validate user permissions on image metadata modification functions, allowing authenticated contributors and higher-privileged users to alter slider images, titles, descriptions, alt text, and associated links. This capability check bypass affects all installations using the vulnerable plugin versions and requires only valid WordPress login credentials to exploit.

WordPress
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Reflected XSS in WordPress List Site Contributors plugin up to version 1.1.8 allows unauthenteric attackers to inject malicious scripts through the 'alpha' parameter due to inadequate input sanitization. Successful exploitation requires social engineering to trick users into clicking malicious links, potentially compromising user sessions and site integrity. No patch is currently available for this vulnerability.

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]

WordPress XSS Path Traversal +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The GeekyBot - Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Gotham Block Extra Light (WordPress plugin) versions up to 1.5.0 is affected by path traversal (CVSS 6.5).

WordPress Path Traversal
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Netcash WooCommerce Payment Gateway (WordPress plugin) versions up to 4.1.3. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

WP-CRM System (WordPress plugin) versions up to 3.4.5. is affected by missing authorization (CVSS 5.4).

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

The DASHBOARD BUILDER - WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. [CVSS 7.1 HIGH]

WordPress PHP SQLi +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. [CVSS 7.2 HIGH]

WordPress SSRF PHP
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

News and Blog Designer Bundle for WordPress (through 1.1) has LFI via the template parameter, enabling unauthenticated arbitrary PHP file inclusion and execution.

WordPress PHP LFI
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).

WordPress Industrial PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accou...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Integration Opvius AI for WooCommerce (through 1.3.0) has unauthenticated path traversal allowing arbitrary file download and deletion. No authentication, no nonce verification, no path validation.

WordPress PHP Path Traversal
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

CP Image Store with Slideshow (WordPress plugin) versions up to 1.1.9 is affected by incorrect authorization (CVSS 4.3).

WordPress
NVD
EPSS 0%
This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1.

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The WP Duplicate Page plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'duplicateBulkHandle' and 'duplicateBulkHandleHPOS' functions in all versions up to, and including, 1.8. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.

WordPress PHP
NVD WPScan
EPSS 0% CVSS 9.8
CRITICAL Act Now

Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.

WordPress PHP
NVD WPScan
EPSS 0% CVSS 4.8
MEDIUM This Month

Quiz Maker WordPre versions up to 6.7.0.89 contains a vulnerability that allows attackers to high privilege users such as admin to perform Stored Cross-Site Scripting attack (CVSS 4.8).

WordPress XSS PHP
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. [CVSS 4.3 MEDIUM]

WordPress SSRF PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Shortcodes and extra features for Phlox theme (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Countdown Timer - Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Templately (WordPress plugin) versions up to 3.4.8. is affected by incorrect authorization (CVSS 5.3).

WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The User Registration & Membership - Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. [CVSS 5.4 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

miniOrange OTP Verification and SMS Notification for WooCommerce (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. [CVSS 4.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WooCommerce Square (WordPress plugin) versions up to 5.1.1 is affected by authorization bypass through user-controlled key (CVSS 7.5).

WordPress PHP
NVD
EPSS 0%
This Week

AccessAlly WordPress plugin versions prior to 3.3.2 contain an unauthenticated arbitrary PHP code execution vulnerability in the Login Widget.

WordPress PHP RCE
NVD WPScan
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in the AMP for WP WordPress plugin (versions up to 1.1.10) allows authenticated users with Author privileges or higher to execute arbitrary JavaScript by uploading malicious SVG files with event handlers and animation attributes that bypass incomplete script tag filtering. The injected payload executes in the browsers of any user viewing the uploaded file, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Frontend Admin by DynamiApps (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 7.2).

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

Frontend Admin by DynamiApps (through 3.28.25) also allows unauthenticated deletion of arbitrary posts, pages, products, taxonomy terms, and user accounts due to missing capability checks.

WordPress PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Eventin - Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. [CVSS 7.2 HIGH]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible ...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

eLearning and online course solution versions up to 3.9.2. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

eLearning and online course solution versions up to 3.9.3. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Table Builder - Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in the WP Google Street View & Google Maps plugin for WordPress versions up to 1.1.8 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wpgsv_map' shortcode due to inadequate input sanitization, enabling arbitrary code execution when visitors access affected pages. The vulnerability requires authenticated access and has no available patch as of this report.

WordPress XSS
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. [CVSS 7.2 HIGH]

WordPress Industrial XSS +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress Industrial XSS +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. [CVSS 6.5 MEDIUM]

WordPress Information Disclosure AI / ML +1
NVD
Prev Page 31 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy