Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
9381 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-25444 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-01-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Using Malicious Files.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.7. | ||||
| CVE-2023-47788 | 2 Automattic, Wordpress | 2 Jetpack, Wordpress | 2026-01-23 | 4.3 Medium |
| Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7. | ||||
| CVE-2024-43161 | 2 Averta, Wordpress | 2 Depicter Slider, Wordpress | 2026-01-23 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Averta Depicter Slider allows Stored XSS.This issue affects Depicter Slider: from n/a through 3.1.2. | ||||
| CVE-2024-47381 | 2 Averta, Wordpress | 2 Depicter Slider, Wordpress | 2026-01-23 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Averta Depicter Slider allows Stored XSS.This issue affects Depicter Slider: from n/a through 3.2.2. | ||||
| CVE-2025-15522 | 2 Uncannyowl, Wordpress | 2 Uncanny Automator, Wordpress | 2026-01-23 | 6.4 Medium |
| The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. | ||||
| CVE-2025-14757 | 2 Stylemixthemes, Wordpress | 2 Cost Calculator Builder, Wordpress | 2026-01-23 | 5.3 Medium |
| The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment. | ||||
| CVE-2025-14844 | 3 Liquidweb, Stellarwp, Wordpress | 3 Restrict Content, Membership Plugin - Restrict Content, Wordpress | 2026-01-23 | 8.2 High |
| The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 3.2.16 via the 'rcp_stripe_create_setup_intent_for_saved_card' function due to missing capability check. Additionally, the plugin does not check a user-controlled key, which makes it possible for unauthenticated attackers to leak Stripe SetupIntent client_secret values for any membership. | ||||
| CVE-2026-0920 | 2 Choijun, Wordpress | 2 La-studio-element-kit-for-elementor, Wordpress | 2026-01-23 | 9.8 Critical |
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site. | ||||
| CVE-2025-47474 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion.This issue affects Anarkali: from n/a through <= 1.0.9. | ||||
| CVE-2025-27005 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS.This issue affects HTML5 Video Player: from n/a through <= 5.3.5. | ||||
| CVE-2025-47666 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | ||||
| CVE-2025-49045 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3. | ||||
| CVE-2025-32123 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. | ||||
| CVE-2025-49043 | 2 Lambertgroup, Wordpress | 2 Magic Responsive Slider And Carousel Wordpress, Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. | ||||
| CVE-2025-47600 | 2 Wordpress, Xtemos | 2 Wordpress, Woodmart | 2026-01-23 | N/A |
| Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7. | ||||
| CVE-2025-48094 | 2 Lambertgroup, Wordpress | 2 Magic Slider, Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2. | ||||
| CVE-2025-47500 | 1 Wordpress | 1 Wordpress | 2026-01-23 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS.This issue affects Stackable: from n/a through <= 3.19.5. | ||||
| CVE-2025-31413 | 2 Bdthemes, Wordpress | 2 Element Pack Elementor Addons, Wordpress | 2026-01-23 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery.This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. | ||||
| CVE-2025-47555 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-01-23 | N/A |
| Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4. | ||||
| CVE-2025-66135 | 2 Merkulove, Wordpress | 2 Imager For Elementor, Wordpress | 2026-01-23 | N/A |
| Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Imager for Elementor: from n/a through <= 2.0.4. | ||||