Medium
CVE-2025-9198
The Wp cycle text announcement plugin for WordPress is vulnerable to SQL Injection via the 'cycle-text' shortcode in all versions up to, and including, 8.1 due to insufficient escaping on the user su…
Tag: WordPress
All CVEs associated with "WordPress". Page 27/152 • 18152 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18152 CVEs for this tag (all time). In the last 365 days, 4090 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-10-03
Medium
CVE-2025-9194
The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This make…
Medium
CVE-2025-9130
The Unify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's unify_checkout shortcode in all versions up to, and including, 3.4.7 due to insufficient inp…
Medium
CVE-2025-9129
The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient inpu…
Medium
CVE-2025-9080
The Generic Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget fields in version 1.2.8 and earlier. This is due to insufficient input sanitization and outp…
Medium
CVE-2025-9077
The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Animated Text' field of the Typeout Widget in version 1.1.9 and below due to insufficien…
Medium
CVE-2025-9045
The Easy Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in versions less than, or equal to, 2.2.9 due to insufficient input sanitizat…
Medium
CVE-2025-8776
The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icol’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization…
Medium
CVE-2025-8669
The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This mak…
Medium
CVE-2025-7825
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via th…
Critical
CVE-2025-7721
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. This…
Critical
CVE-2025-10726
The WPRecovery plugin for WordPress is vulnerable to SQL Injection via the 'data[id]' parameter in all versions up to, and including, 2.0. This is due to insufficient escaping on the user supplied pa…
High
CVE-2025-10582
The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter an…
Medium
CVE-2025-10311
The Comment Info Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing nonce validation on the options.php file…
Medium
CVE-2025-10309
The PayPal Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the form creation and managem…
Low
CVE-2025-10306
The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This mak…
Medium
CVE-2025-10302
The Ultimate Viral Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on thesave_opt…
Medium
CVE-2025-10212
The SiteAlert (Formerly WP Health) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.9.…
Medium
CVE-2025-10192
The WP Photo Effects plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wppe_effect' shortcode in all versions up to, and including, 1.2.4 due to insufficient input s…
Medium
CVE-2025-10165
The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient inpu…
Medium
CVE-2025-10053
The TableGen – Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitiza…
Critical
CVE-2025-6388
The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. This is due to the custom_actions() function not properly validating a u…
Medium
CVE-2025-11241
The Yoast SEO Premium plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 25.7 to 25.9 due to a flawed regex used to remove an attribute in post content, which can be abused…
2025-10-02
Critical
CVE-2025-9697
The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading t…
High
CVE-2025-9587
The CTL Behance Importer Lite WordPress plugin through 1.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users,…
2025-10-01
Low
CVE-2025-58769
auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wr…
Critical
CVE-2020-36852
The Custom Searchable Data Entry System plugin for WordPress is vulnerable to unauthenticated database wiping in versions up to, and including 1.7.1, due to a missing capability check and lack of suf…
Medium
CVE-2025-9512
The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored X…
Medium
CVE-2025-9075
The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization…
Medium
CVE-2025-10744
The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.1 through publicly exposed log fil…
Medium
CVE-2025-10735
The Block For Mailchimp – Easy Mailchimp Form Integration plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.12 via the mcbSubmit_Form_D…
2025-09-30
High
CVE-2025-9993
The Bei Fen – WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. This makes it possible for authenticated a…
High
CVE-2025-9991
The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unau…
Medium
CVE-2025-9948
The Chat by Chatwee plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on the admin set…
Medium
CVE-2025-9946
The LockerPress – WordPress Security Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce valid…
Medium
CVE-2025-9852
The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insuffic…
Critical
CVE-2025-9762
The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This…
High
CVE-2025-8877
The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the…
Medium
CVE-2025-8777
The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘language’ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and outp…
Critical
CVE-2025-8625
The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key w…
Medium
CVE-2025-8624
The Nexa Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Google Maps widget in all versions up to, and including, 1.1.0 due to insufficient input sanitizatio…
Medium
CVE-2025-8623
The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmaps_menu shortcode in all versions up to, and including, 1.2.0 due to insuffici…
Medium
CVE-2025-8608
The Mihdan: Elementor Yandex Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block attributes in all versions up to, and including, 1.6.11 due to insufficient…
Medium
CVE-2025-8566
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via parameters in the CountUp and Google Maps Blocks in all versions up to, and including, 2.18.0 due…
Medium
CVE-2025-8560
The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output…
Medium
CVE-2025-8559
The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attack…
Medium
CVE-2025-8214
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typing Letter widget in all versions up to, and including, 2.1.5 due to insufficient in…
High
CVE-2025-7052
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function…
High
CVE-2025-7038
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all…
Medium
CVE-2025-6941
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_resources' shortcode in…
Medium
CVE-2025-6815
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘service[name]’ parameter in all versions up to, and incl…
Medium
CVE-2025-11163
The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all ve…
Medium
CVE-2025-10196
The Survey Anyplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'surveyanyplace_embed' shortcode in all versions up to, and including, 1.0.0 due to insufficient…
Medium
CVE-2025-10191
The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including,…
Medium
CVE-2025-10189
The BP Direct Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bpdm_login' shortcode in all versions up to, and including, 1.0.0 due to insufficient input san…
Medium
CVE-2025-10182
The dbview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dbview' shortcode in all versions up to, and including, 0.5.5 due to insufficient input sanitization and…
Medium
CVE-2025-10179
The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization…
Medium
CVE-2025-10168
The Any News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'any-ticker' shortcode in all versions up to, and including, 3.1.1 due to insufficient input san…
Medium
CVE-2025-10131
The All Social Share Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sc' shortcode in all versions up to, and including, 1.0 due to insufficient input sani…
Medium
CVE-2025-10130
The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and o…
Medium
CVE-2025-10128
The Eulerpool Research Systems plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aaq' shortcode in all versions up to, and including, 4.0.1 due to insufficient input…
Medium
CVE-2025-10000
The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, an…
2025-09-29
Medium
CVE-2024-5200
The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even w…
2025-09-27
Medium
CVE-2025-9944
The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the…
Medium
CVE-2025-9899
The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is…
Medium
CVE-2025-9898
The cForms – Light speed fast Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce vali…
Medium
CVE-2025-9896
The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php sett…
Medium
CVE-2025-9894
The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job…
Medium
CVE-2025-9893
The VM Menu Reorder plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the vm…
High
CVE-2025-9816
The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including…
Medium
CVE-2025-10499
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.12.0. This is due to missing or…
Medium
CVE-2025-10498
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.12.0. This is due to missing or inc…
Medium
CVE-2025-8440
The Team Members plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the first and last name fields in all versions up to, and including, 5.3.5 due to insufficient input sanitizatio…
2025-09-26
Critical
CVE-2025-60156
Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress ar-for-wordpress allows Upload a Web Shell to a Web Server.This issue affects AR For WordPress: from n/a through <= 8.3…
Medium
CVE-2025-10490
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization an…
Medium
CVE-2025-10307
The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete backup functionality in all vers…
Medium
CVE-2025-10180
The Markdown Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'markdown' shortcode in all versions up to, and including, 0.2.1 due to insufficient input sa…
Medium
CVE-2025-10137
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated at…
Medium
CVE-2025-10136
The TweetThis Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tweetthis' shortcode in all versions up to, and including, 1.8.0 due to insufficient input…
Medium
CVE-2025-9490
The Popup Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.20.6 due to insufficient input sanitization and out…
High
CVE-2025-10747
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download-add.php file in all versions up to, and including, 1.68.11. Thi…
Medium
CVE-2025-9985
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. This makes it p…
Medium
CVE-2025-9984
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the fifu_api_debug_posts() function in all versions up to, an…
Medium
CVE-2025-10037
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_posts_with_internal_featured_image() function in all versions up to, and including, 5.2.7 due to ins…
Medium
CVE-2025-10036
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to SQL Injection via the get_all_urls() function in all versions up to, and including, 5.2.7 due to insufficient escaping on the…
Medium
CVE-2025-9044
The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple fields in versions up to, and including, 1.20.0 due to insufficient input sanitization and output es…
Medium
CVE-2025-10745
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret ke…
Medium
CVE-2025-10377
The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sd_toggle_logs() fun…
Low
CVE-2025-10173
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save()…
Medium
CVE-2025-8906
The Widgets for Tiktok Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trustindex-feed' shortcode in all versions up to, and including, 1.7.3 due to insuffici…
Medium
CVE-2025-8200
The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to i…
Medium
CVE-2025-10752
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state…
Medium
CVE-2025-10178
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insuffi…
2025-09-24
Medium
CVE-2025-9353
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and out…
Critical
CVE-2025-9054
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capabil…
2025-09-23
Medium
CVE-2025-58674
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a…
Medium
CVE-2025-58246
Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on…
Critical
CVE-2025-10412
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'u…
Critical
CVE-2025-10147
The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and inclu…
Low
CVE-2025-8282
The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting atta…
Critical
CVE-2025-9321
The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' functio…
Medium
CVE-2025-8902
The Widget Options - Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'do_sidebar' shortcode in all versions up to, and including, 5.2.1 due to insufficient…
High
CVE-2025-10380
The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insuffici…
2025-09-22
Medium
CVE-2025-58669
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration m2wp allows Stored XSS.This issue affects Magento 2…
Medium
CVE-2025-58665
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmontg1 Form Generator for WordPress form-generator-powered-by-jotform allows Stored XSS.This iss…
Medium
CVE-2025-58020
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress theatre allows Stored XSS.This issue affects Theater for Word…
Medium
CVE-2025-57989
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brajesh Singh WordPress Widgets Shortcode wp-widgets-shortcode allows Stored XSS.This issue affec…
High
CVE-2025-57977
Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress flexible-invoices allows Cross Site Request Forgery.This issue affects Flexible PDF Invoice…
Medium
CVE-2025-57928
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Code Injection.This issue af…
Medium
CVE-2025-57903
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) woo-additional-fees-on-check…
Medium
CVE-2025-9541
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Medium
CVE-2025-9540
The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Medium
CVE-2025-9487
The Admin and Site Enhancements (ASE) WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicio…
Medium
CVE-2025-9115
The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old…
2025-09-20
Medium
CVE-2025-9887
The Custom Login And Signup Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation in…
Medium
CVE-2025-9883
The Browser Sniff plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on a function. This…
Medium
CVE-2025-9882
The osTicket WP Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on a function…
Medium
CVE-2025-10658
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.3.7. This is due to missing rate limit…
Medium
CVE-2025-9949
The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the li…
Medium
CVE-2025-10489
The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability c…