Export limit exceeded: 359373 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13019 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24385 | 2 Gerritvanaaken, Wordpress | 2 Podlove Web Player, Wordpress | 2026-04-22 | 7.5 High |
| Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1. | ||||
| CVE-2026-27383 | 2 Radiustheme, Wordpress | 2 Metro, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13. | ||||
| CVE-2026-27385 | 2 Designthemes, Wordpress | 2 Designthemes Portfolio, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3. | ||||
| CVE-2026-3132 | 2 Jeweltheme, Wordpress | 2 Master Addons For Elementor, Wordpress | 2026-04-22 | 8.8 High |
| The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server. | ||||
| CVE-2026-27438 | 2 Themerex, Wordpress | 2 Kingler, Wordpress | 2026-04-22 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Kingler kingler allows Object Injection.This issue affects Kingler: from n/a through <= 1.7. | ||||
| CVE-2026-27986 | 2 Themerex, Wordpress | 2 Ostende, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX OsTende ostende allows PHP Local File Inclusion.This issue affects OsTende: from n/a through <= 1.4.3. | ||||
| CVE-2026-27998 | 2 Themerex, Wordpress | 2 Vixus, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vixus vixus allows PHP Local File Inclusion.This issue affects Vixus: from n/a through <= 1.0.16. | ||||
| CVE-2026-28020 | 2 Themerex, Wordpress | 2 Chroma, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Chroma chroma allows PHP Local File Inclusion.This issue affects Chroma: from n/a through <= 1.11. | ||||
| CVE-2025-54001 | 2 Thermerex, Wordpress | 2 Classter, Wordpress | 2026-04-22 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5. | ||||
| CVE-2026-28021 | 2 Themerex, Wordpress | 2 Craftis, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Craftis craftis allows PHP Local File Inclusion.This issue affects Craftis: from n/a through <= 1.2.8. | ||||
| CVE-2026-28022 | 2 Themerex, Wordpress | 2 Foodie, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Foodie foodie allows PHP Local File Inclusion.This issue affects Foodie: from n/a through <= 1.14. | ||||
| CVE-2026-22414 | 2 Mikado-themes, Wordpress | 2 Marra, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Marra marra allows PHP Local File Inclusion.This issue affects Marra: from n/a through <= 1.2. | ||||
| CVE-2025-11891 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 5.3 Medium |
| The Shelf Planner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. | ||||
| CVE-2025-12087 | 2 Acowebs, Wordpress | 2 Wishlist And Save For Later For Woocommerce, Wordpress | 2026-04-22 | 4.3 Medium |
| The Wishlist and Save for later for Woocommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.22 via the 'awwlm_remove_added_wishlist_page' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete wishlist items from other user's wishlists. | ||||
| CVE-2025-12366 | 2 Softaculous, Wordpress | 2 Page Builder Pagelayer, Wordpress | 2026-04-22 | 4.3 Medium |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayer_replace_page function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace media files belonging to other users, including administrators. | ||||
| CVE-2025-12015 | 2 Sanderkah, Wordpress | 2 Convert Webp & Avif, Wordpress | 2026-04-22 | 4.3 Medium |
| The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto | ||||
| CVE-2025-11981 | 2 Jdsofttech, Wordpress | 2 School Management System, Wordpress | 2026-04-22 | 4.9 Medium |
| The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'SCodes' parameter in all versions up to, and including, 2.2.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2025-11620 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles. | ||||
| CVE-2025-11734 | 2 Aioseo, Wordpress | 2 Broken Link Checker, Wordpress | 2026-04-22 | 5.4 Medium |
| The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint. | ||||
| CVE-2025-12955 | 3 Rajeshsingh520, Woocommerce, Wordpress | 3 Live Sales Notification For Woocommerce, Woocommerce, Wordpress | 2026-04-22 | 7.5 High |
| The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. | ||||