High
CVE-2025-12879
The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CS…
Tag: WordPress
All CVEs associated with "WordPress". Page 20/152 • 18152 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18152 CVEs for this tag (all time). In the last 365 days, 4094 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-12-05
Medium
CVE-2025-12876
The Projectopia – WordPress Project Management plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pto_delete_file AJAX action in all vers…
High
CVE-2025-12851
The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthentica…
Medium
CVE-2025-13684
The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the ark_rp_options_page function. This…
Medium
CVE-2025-12130
The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This i…
Medium
CVE-2025-13515
The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.1.3 due to insufficient…
High
CVE-2025-12850
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user suppli…
Critical
CVE-2025-12374
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to,…
Medium
CVE-2025-12373
The Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to…
Medium
CVE-2025-12355
The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_update_order_status' AJAX endpoint in all versions up to, a…
Medium
CVE-2025-12354
The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and…
Medium
CVE-2025-12186
The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output esc…
Medium
CVE-2025-12093
The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.7. This makes…
Medium
CVE-2025-13860
The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `h_tags` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitizati…
Medium
CVE-2025-13625
The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to ins…
Medium
CVE-2025-13623
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization a…
Medium
CVE-2025-13622
The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input saniti…
Medium
CVE-2025-13621
The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreamplugins…
Medium
CVE-2025-13528
The Feedback Modal for Website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_export' function in all versions up to, and including…
Medium
CVE-2025-13512
The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient…
Medium
CVE-2025-13360
The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings up…
Medium
CVE-2025-13144
The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu…
Medium
CVE-2025-12370
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perf…
Medium
CVE-2025-12368
The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input s…
Medium
CVE-2025-12191
The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient inp…
Medium
CVE-2025-12190
The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the…
Medium
CVE-2025-12189
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and includ…
High
CVE-2025-12181
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This…
Medium
CVE-2025-12165
The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions…
Medium
CVE-2025-12163
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output esca…
High
CVE-2025-12154
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This mak…
High
CVE-2025-12153
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible…
Medium
CVE-2025-12133
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_trackin…
Medium
CVE-2025-12128
The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce va…
Medium
CVE-2025-12124
The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and o…
Medium
CVE-2025-10055
The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints…
Medium
CVE-2025-13494
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-…
Medium
CVE-2025-13362
The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality…
Critical
CVE-2025-13313
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication ch…
Medium
CVE-2025-13312
The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and includ…
Medium
CVE-2025-13006
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/survey…
Medium
CVE-2025-12417
The SurveyFunnel – Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1…
High
CVE-2025-13066
The Demo Importer Plus plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.0.6. This is due to insufficient file type validation detecting WXR files, a…
Medium
CVE-2025-12804
The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bookingcalendar' shortcode in all versions up to, and including, 10.14.6 due to insufficient inp…
Medium
CVE-2025-11759
The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorre…
2025-12-04
High
CVE-2025-13543
The PostGallery plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'PostGalleryUploader' class functions in all versions up to, and including, 1…
Medium
CVE-2025-12826
The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required c…
Medium
CVE-2025-12782
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a…
Medium
CVE-2025-13513
The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input saniti…
High
CVE-2025-11727
The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versi…
Medium
CVE-2025-11379
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name…
2025-12-03
Medium
CVE-2025-13756
The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and incl…
Medium
CVE-2025-13401
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitizat…
Critical
CVE-2025-13390
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wd…
Medium
CVE-2025-13359
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and inclu…
Medium
CVE-2025-13354
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin…
Critical
CVE-2025-13342
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insuffici…
Medium
CVE-2025-13109
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query"…
Medium
CVE-2025-12887
The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to upd…
Medium
CVE-2025-12358
The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validatio…
Critical
CVE-2025-13486
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accep…
Low
CVE-2025-12954
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.4.16 does not verify a user has access to a specific event when duplicating, leading to arbitrary event disclosure when to user…
Medium
CVE-2025-13495
The FluentCart plugin for WordPress is vulnerable to SQL Injection via the 'groupKey' parameter in all versions up to, and including, 1.3.1. This is due to insufficient escaping on the user supplied…
Medium
CVE-2025-12585
The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.5 via upload filenames. This makes it possible for…
Medium
CVE-2025-10304
The Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the process_status_unli…
High
CVE-2025-13646
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This makes it…
High
CVE-2025-13645
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_unzip_file' function in versions 2.13.1 to 2.13.2. This ma…
Medium
CVE-2025-13448
The CSSIgniter Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' shortcode attribute in all versions up to, and including, 2.4.1 due to insufficient input…
2025-12-02
Critical
CVE-2025-13542
The DesignThemes LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.4. This is due to the 'dtlms_register_user_front_end' function not restrictin…
Medium
CVE-2025-12630
The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view sit…
Medium
CVE-2025-13731
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nxt-year' shortcode in all versions up to, and including, 4.4.1 du…
Medium
CVE-2025-13090
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied param…
High
CVE-2025-13724
The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insuffici…
Medium
CVE-2025-13534
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.2. This is due to missing authorization ch…
High
CVE-2025-13516
The SureMail – SMTP and Email Logs Plugin for WordPress is vulnerable to Unrestricted Upload of File with Dangerous Type in versions up to and including 1.9.0. This is due to the plugin's save_file()…
Medium
CVE-2025-13696
The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves for…
Medium
CVE-2025-11726
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in t…
Medium
CVE-2025-13685
The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action fun…
Medium
CVE-2025-13140
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validatio…
Medium
CVE-2025-13007
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insuffic…
Medium
CVE-2025-12483
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient…
Medium
CVE-2025-13001
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
High
CVE-2025-13000
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
Medium
CVE-2025-13606
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrec…
High
CVE-2025-13387
The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input s…
Medium
CVE-2025-13697
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘timestamp’…
High
CVE-2025-12529
The Cost Calculator Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteOrdersFiles() function in all versions up to, and inclu…
2025-11-30
Critical
CVE-2025-13615
The StreamTube Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 4.78. This is due to the plugin providing user-controlled access to objects,…
2025-11-28
Medium
CVE-2025-13737
The Nextend Social Login and Register plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.21. This is due to missing or incorrect nonce validati…
2025-11-27
High
CVE-2025-13692
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0 due to insufficient input sanitiz…
Medium
CVE-2025-12971
The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability…
Medium
CVE-2025-10476
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpfc_db_fix_callback() function in all versions up to, and includ…
Medium
CVE-2025-13381
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'ays_chatgpt_save_wp_media' function in all…
Medium
CVE-2025-13378
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.0 via the ays_chatgpt_pinecone_ups…
Medium
CVE-2025-12584
The Quick View for WooCommerce plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.17 via the 'wqv_popup_content' AJAX endpoint due to insufficient re…
High
CVE-2025-13536
The Blubrry PowerPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 11.15.2. This is due to the plugin v…
Medium
CVE-2025-13441
The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on th…
Medium
CVE-2025-13157
The QODE Wishlist for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.7 via the 'qode_wishlist_for_woocommerce_wishlist_ta…
Medium
CVE-2025-13525
The WP Directory Kit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'order_by' parameter in all versions up to, and including, 1.4.5 due to insufficient input sanitizati…
Medium
CVE-2025-13143
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 19.12.0. This is due to missing or insuffi…
Medium
CVE-2025-12185
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escapi…
Medium
CVE-2025-12123
The Customer Reviews Collector for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email-text' parameter in all versions up to, and including, 4.6.1 due to i…
High
CVE-2025-7820
The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of…
High
CVE-2025-13680
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user-…
Critical
CVE-2025-13675
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user c…
Critical
CVE-2025-13540
The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not re…
Critical
CVE-2025-13539
The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data…
Critical
CVE-2025-13538
The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' fu…
Medium
CVE-2025-12151
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitizatio…
Medium
CVE-2025-12713
The Soundslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the soundslides shortcode in all versions up to, and including, 1.4.2 due to insufficient input sanitization and…
Medium
CVE-2025-12712
The Shouty plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the shouty shortcode in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output esc…
Medium
CVE-2025-12670
The wp-twitpic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'twitpic' shortcode in all versions up to, and including, 1.0 due to insufficient input…
Medium
CVE-2025-12666
The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and incl…
Medium
CVE-2025-12649
The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to in…
Medium
CVE-2025-12579
The Reuters Direct plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'logoff' action in all versions up to, and including, 3.0.0. This m…
Medium
CVE-2025-12578
The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class…
2025-11-26
Medium
CVE-2025-9191
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possibl…
Medium
CVE-2025-9163
The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping…
High
CVE-2025-12061
The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements
2025-11-25
Critical
CVE-2025-13597
The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizador_git.php' file in all versions up to, and including, 1.0.11. This makes i…