Export limit exceeded: 12284 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12284 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13094 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-13073 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2025-13072 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13071 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2025-13070 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.6 Medium |
| The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks. | ||||
| CVE-2025-13031 | 2 Etruel, Wordpress | 2 Wpematico Rss Feed Fetcher, Wordpress | 2026-04-15 | 5.9 Medium |
| The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | ||||
| CVE-2025-13029 | 2 Knowband, Wordpress | 2 Mobile App Builder, Wordpress | 2026-04-15 | 7.5 High |
| The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users. | ||||
| CVE-2025-12835 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.3 High |
| The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server. | ||||
| CVE-2025-12751 | 2 Elextensions, Wordpress | 2 Wschat, Wordpress | 2026-04-15 | 4.3 Medium |
| The WSChat – WordPress Live Chat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'reset_settings' AJAX endpoint in all versions up to, and including, 3.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings. | ||||
| CVE-2025-49393 | 2 Fetchdesigns, Wordpress | 2 Sign-up Sheets, Wordpress | 2026-04-15 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.2. | ||||
| CVE-2025-12721 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The g-FFL Cockpit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the /server_status REST API endpoint due to a lack of capability checks. This makes it possible for unauthenticated attackers to extract information about the server. | ||||
| CVE-2025-12652 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.4 Medium |
| The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page. | ||||
| CVE-2025-12633 | 2 Stellarwp, Wordpress | 2 Booking Calendar, Wordpress | 2026-04-15 | 7.5 High |
| The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bookit/v1/commerce/stripe/return' REST API Endpoint in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to connect their Stripe account and receive payments. | ||||
| CVE-2025-12677 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.3 Medium |
| The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured. | ||||
| CVE-2025-49901 | 2 Quantumcloud, Wordpress | 2 Simple Link Directory, Wordpress | 2026-04-15 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows Authentication Abuse.This issue affects Simple Link Directory: from n/a through < 14.8.1. | ||||
| CVE-2025-49927 | 2 Crocoblock, Wordpress | 2 Jetformbuilder, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows Stored XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20.1. | ||||
| CVE-2025-49928 | 2 Crocoblock, Wordpress | 2 Jetformbuilder, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetWooBuilder jet-woo-builder allows DOM-Based XSS.This issue affects JetWooBuilder: from n/a through <= 2.1.20. | ||||
| CVE-2025-49940 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows DOM-Based XSS.This issue affects Fusion Builder: from n/a through <= 3.13.2. | ||||
| CVE-2025-49948 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ahmad Awais WP Super Edit wp-super-edit allows Reflected XSS.This issue affects WP Super Edit: from n/a through <= 2.5.4. | ||||
| CVE-2025-49951 | 2 Gappointments, Wordpress | 2 Gappointments, Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcrunch gAppointments gAppointments allows Reflected XSS.This issue affects gAppointments: from n/a through <= 1.14.1. | ||||