Export limit exceeded: 12306 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12306 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-62039 | 2 Ays-pro, Wordpress | 2 Ai Chatbot With Chatgpt, Wordpress | 2026-04-15 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data.This issue affects AI ChatBot with ChatGPT and Content Generator by AYS: from n/a through <= 2.6.6. | ||||
| CVE-2025-66116 | 2 Userelements, Wordpress | 2 Ultimate Member Widgets For Elementor, Wordpress | 2026-04-15 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3. | ||||
| CVE-2025-66118 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Reflected XSS.This issue affects Sprout Clients: from n/a through <= 3.2.1. | ||||
| CVE-2025-69374 | 2 Solverwp, Wordpress | 2 Eleblog – Elementor Blog And Magazine Addons, Wordpress | 2026-04-15 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog – Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog – Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. | ||||
| CVE-2025-64295 | 2 Syed Balkhi, Wordpress | 2 All In One Seo Pack, Wordpress | 2026-04-15 | 6.5 Medium |
| Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1. | ||||
| CVE-2025-3063 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.8 High |
| The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2025-4956 | 2 Aa-team, Wordpress | 2 Pro Bulk Watermark Plugin, Wordpress | 2026-04-15 | 4.3 Medium |
| Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. | ||||
| CVE-2025-12966 | 2 Plugins360, Wordpress | 2 All-in-one Video Gallery, Wordpress | 2026-04-15 | 8.8 High |
| The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2019-25314 | 3 Copy-delete-posts, Duplicate-post, Wordpress | 3 Duplicate Post, Post, Wordpress | 2026-04-15 | 5.5 Medium |
| Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces. | ||||
| CVE-2025-64253 | 1 Wordpress | 2 Health Check & Troubleshooting, Wordpress | 2026-04-15 | 4.9 Medium |
| Path Traversal: '.../...//' vulnerability in WordPress.org Health Check & Troubleshooting health-check allows Path Traversal.This issue affects Health Check & Troubleshooting: from n/a through <= 1.7.1. | ||||
| CVE-2025-9034 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 6.1 Medium |
| The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue | ||||
| CVE-2025-9427 | 2 Lemonsoft, Wordpress | 2 Wordpress Add-on, Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Lemonsoft WordPress add on allows Cross-Site Scripting (XSS).This issue affects WordPress add on: 2025.7.1. | ||||
| CVE-2025-52736 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daman Jeet Finale Lite finale-woocommerce-sales-countdown-timer-discount allows Reflected XSS.This issue affects Finale Lite: from n/a through <= 2.20.0. | ||||
| CVE-2025-23504 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. | ||||
| CVE-2025-15520 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-04-15 | 4.3 Medium |
| The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above. | ||||
| CVE-2025-15041 | 2 Wordpress, Wp Media | 2 Wordpress, Backwpup – Wordpress Backup & Restore Plugin | 2026-04-15 | 7.2 High |
| The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This makes it possible for authenticated attackers, with level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | ||||
| CVE-2025-14742 | 2 Brechtvds, Wordpress | 2 Wp Recipe Maker, Wordpress | 2026-04-15 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access. | ||||
| CVE-2025-14616 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14548 | 2 Kieranoshea, Wordpress | 2 Calendar, Wordpress | 2026-04-15 | 6.4 Medium |
| The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings. | ||||
| CVE-2025-14379 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.4 Medium |
| The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||