Wordpress CVEs and Security Vulnerabilities

Export limit exceeded: 360230 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (13197 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-32376	2 Raratheme, Wordpress	2 Kalon, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Kalon kalon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kalon: from n/a through <= 1.2.9.
CVE-2026-32377	2 Raratheme, Wordpress	2 Pranayama Yoga, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Pranayama Yoga pranayama-yoga allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pranayama Yoga: from n/a through <= 1.2.2.
CVE-2026-32378	2 Rarathemes, Wordpress	2 Book Landing Page, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Book Landing Page book-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Landing Page: from n/a through <= 1.2.7.
CVE-2026-32379	2 Raratheme, Wordpress	2 Rara Academic, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Rara Academic rara-academic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Rara Academic: from n/a through <= 1.2.2.
CVE-2026-31922	2 Ays-pro, Wordpress	2 Fox Lms, Wordpress	2026-04-22	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Fox LMS fox-lms allows Blind SQL Injection.This issue affects Fox LMS: from n/a through <= 1.0.6.3.
CVE-2026-32381	2 Raratheme, Wordpress	2 App Landing Page, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme App Landing Page app-landing-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects App Landing Page: from n/a through <= 1.2.2.
CVE-2026-32382	2 Raratheme, Wordpress	2 Digital Download, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Digital Download digital-download allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Digital Download: from n/a through <= 1.1.4.
CVE-2026-32384	2 Magepeopleteam, Wordpress	2 Wpbookingly, Wordpress	2026-04-22	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam WpBookingly service-booking-manager allows PHP Local File Inclusion.This issue affects WpBookingly: from n/a through <= 1.2.9.
CVE-2026-32385	2 Metagauss, Wordpress	2 Registrationmagic, Wordpress	2026-04-22	5.4 Medium
Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6.
CVE-2026-3045	2 Croixhaug, Wordpress	2 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin, Wordpress	2026-04-22	7.5 High
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator email, phone number, internal access tokens, notification configurations, and developer settings via the `/wp-json/ssa/v1/settings/{section}` endpoint. The exposure of appointment tokens also allows an attacker to modify or cancel appointments.
CVE-2026-32380	2 Raratheme, Wordpress	2 Numinous, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in raratheme Numinous numinous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Numinous: from n/a through <= 1.3.0.
CVE-2026-32424	2 Boldgrid, Wordpress	2 Sprout Clients, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Stored XSS.This issue affects Sprout Clients: from n/a through <= 3.2.2.
CVE-2026-32425	2 Linknacional, Wordpress	2 Payment Gateway Pix For Givewp, Wordpress	2026-04-22	5.3 Medium
Missing Authorization vulnerability in linknacional Payment Gateway Pix For GiveWP payment-gateway-pix-for-givewp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway Pix For GiveWP: from n/a through <= 2.2.3.
CVE-2026-32423	2 Bowo, Wordpress	2 Admin And Site Enhancements Ase, Wordpress	2026-04-22	5.4 Medium
Missing Authorization vulnerability in Bowo Admin and Site Enhancements (ASE) admin-site-enhancements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin and Site Enhancements (ASE): from n/a through <= 8.4.0.
CVE-2026-32422	2 Levelfourdevelopment, Wordpress	2 Wp-easycart, Wordpress	2026-04-22	8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13.
CVE-2026-32426	2 Themelexus, Wordpress	2 Medilazar Core, Wordpress	2026-04-22	7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7.
CVE-2026-31918	2 Immonex, Wordpress	2 Immonex Kickstart, Wordpress	2026-04-22	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in immonex immonex Kickstart immonex-kickstart allows Stored XSS.This issue affects immonex Kickstart: from n/a through <= 1.13.0.
CVE-2026-3226	2 Thimpress, Wordpress	2 Learnpress – Wordpress Lms Plugin For Create And Sell Online Courses, Wordpress	2026-04-22	4.3 Medium
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisions regarding instructor requests.
CVE-2026-32420	2 Ruben Garcia, Wordpress	2 Gamipress, Wordpress	2026-04-22	5.4 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garcia GamiPress gamipress allows Cross Site Request Forgery.This issue affects GamiPress: from n/a through <= 7.6.6.
CVE-2026-32419	2 Fernandobriano, Wordpress	2 List Category Posts, Wordpress	2026-04-22	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fernando Briano List category posts list-category-posts allows DOM-Based XSS.This issue affects List category posts: from n/a through <= 0.93.1.

« first previous Page 382 of 660. next last »