Medium
CVE-2025-6257
The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient…
Tag: WordPress
All CVEs associated with "WordPress". Page 34/152 • 18152 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18152 CVEs for this tag (all time). In the last 365 days, 4090 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-06-20
Medium
CVE-2025-5125
The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.
2025-06-19
Medium
CVE-2025-5234
The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization…
High
CVE-2025-5071
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versio…
Medium
CVE-2025-4965
The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Grid Builder feature in all versions up to, and including, 8.4.1 due to insu…
Medium
CVE-2025-4571
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized view and modification of data due to an insufficient capability check on the permissionsCheck…
Medium
CVE-2025-5490
The Football Pool plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.4 due to insufficient input sanitization and output e…
Medium
CVE-2025-5524
The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output esca…
Medium
CVE-2025-4479
The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin image comparison widget's before/after labels in all versions up to, an…
Medium
CVE-2025-4367
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpdm_user_dashboard shortcode in all versions up to, and including, 3.3.18 due to insufficient…
Medium
CVE-2025-6201
The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's conversion-pixel in…
2025-06-18
High
CVE-2025-6220
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and includin…
High
CVE-2025-6086
The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This…
Medium
CVE-2025-5237
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.8.5 due to insufficient input sanitiz…
Critical
CVE-2025-1562
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a miss…
Medium
CVE-2025-4955
The tarteaucitron.io WordPress plugin before 1.9.5 uses query parameters from YouTube oEmbed URLs without sanitizing these parameters correctly, which could allow users with the contributor role and…
High
CVE-2025-4413
The Pixabay Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the pixabay_upload function in all versions up to, and including, 3.4. This make…
2025-06-17
High
CVE-2025-49312
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress rss-feed-post-generator-echo all…
High
CVE-2025-48333
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder wp-fsqm-pro allows Reflected XSS.This issue affects eForm…
Medium
CVE-2025-5700
The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization an…
Medium
CVE-2025-5291
The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and inclu…
Medium
CVE-2025-3880
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versi…
High
CVE-2025-3515
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1…
Medium
CVE-2025-5209
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even w…
Medium
CVE-2025-5673
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insuffic…
Medium
CVE-2025-4775
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1…
High
CVE-2025-3774
The Wise Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.3.4 due to insufficient input sanitization and o…
2025-06-14
Medium
CVE-2025-5337
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to in…
Medium
CVE-2025-5238
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitizati…
Medium
CVE-2025-4667
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_…
Medium
CVE-2025-6070
The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated atta…
Critical
CVE-2025-6065
The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. Thi…
Medium
CVE-2025-6064
The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_short…
Medium
CVE-2025-6063
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-…
Medium
CVE-2025-6062
The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on…
Medium
CVE-2025-6061
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitizat…
Medium
CVE-2025-6055
The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-soci…
Medium
CVE-2025-6040
The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_setting…
Medium
CVE-2025-5589
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to…
Medium
CVE-2025-5336
The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization an…
Medium
CVE-2025-4592
The AI Image Lab – Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce vali…
Medium
CVE-2025-4216
The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sa…
High
CVE-2025-4200
The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function tha…
Medium
CVE-2025-4187
The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function.…
High
CVE-2025-5487
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions paramet…
High
CVE-2025-3234
The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible fo…
Medium
CVE-2025-6059
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the…
2025-06-13
Medium
CVE-2025-6012
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output…
Medium
CVE-2025-5923
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitizatio…
Medium
CVE-2025-5815
The Traffic Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tfcm_maybe_set_bot_flags() function in all versions up to, and inc…
High
CVE-2025-5282
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_package() function…
Medium
CVE-2025-5950
The IndieBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘kind’ parameter in all versions up to, and including, 0.13.2 due to insufficient input sanitization and outp…
Medium
CVE-2025-5939
The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output…
Medium
CVE-2025-5938
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or…
Medium
CVE-2025-5930
The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function.…
Medium
CVE-2025-5928
The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation…
Medium
CVE-2025-5926
The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_m…
Medium
CVE-2025-5841
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and ou…
Critical
CVE-2025-5288
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() fu…
Medium
CVE-2025-5233
The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and outp…
Medium
CVE-2025-5123
The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input…
Medium
CVE-2025-4586
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.19 due to insufficient input…
Medium
CVE-2025-4585
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitiza…
Medium
CVE-2025-4584
The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.19 due to insufficient input san…
2025-06-12
Medium
CVE-2025-6003
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 vers…
High
CVE-2025-5012
The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_uplo…
Critical
CVE-2025-4973
The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the…
2025-06-11
Medium
CVE-2025-5144
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanit…
High
CVE-2025-3302
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘HTTP_REFERER’ parameter in all versions up to, and including, 7.1.0.16 due to insufficient in…
High
CVE-2025-4315
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.23. This is due to the plugin allowing a user to…
High
CVE-2025-5395
The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115…
High
CVE-2025-4799
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.…
Medium
CVE-2025-4798
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator…
Medium
CVE-2025-4666
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and out…
2025-06-10
Critical
CVE-2025-49455
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge WordPress-WPJobBoard click-pledge-wpjobboard allows Blind SQL Injection.This issue…
Medium
CVE-2025-4774
The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 du…
Medium
CVE-2025-4577
The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and includ…
Medium
CVE-2025-2918
The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient in…
High
CVE-2025-4954
The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the ser…
High
CVE-2025-4840
The inprosysmedia-likes-dislikes-post WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticat…
Medium
CVE-2025-3076
The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient in…
Medium
CVE-2025-5925
The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_opt…
High
CVE-2025-4601
The "RH - Real Estate WordPress Theme" theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 4.4.0. This is due to the theme not properly restricting user ro…
2025-06-09
High
CVE-2025-32305
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sneeit WordPress FlatNews Theme flatnews allows Reflected XSS.This issue affects WordPress FlatNe…
Critical
CVE-2025-31396
Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.
High
CVE-2025-28945
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme valen allows PHP L…
High
CVE-2023-25999
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Loca…
Medium
CVE-2025-4652
The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against…
Medium
CVE-2025-3582
The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attack…
Medium
CVE-2025-3581
The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privi…
2025-06-07
Medium
CVE-2025-5568
The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output e…
Medium
CVE-2025-5528
The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.…
Medium
CVE-2024-9994
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_…
Medium
CVE-2024-9993
The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details…
High
CVE-2025-5303
The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via…
Medium
CVE-2025-5814
The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all version…
2025-06-06
Medium
CVE-2025-49435
Cross-Site Request Forgery (CSRF) vulnerability in Hasina77 Wp Easy Allopass wordpress-easy-allopass allows Cross Site Request Forgery.This issue affects Wp Easy Allopass: from n/a through <= 4.1.1.
Medium
CVE-2025-49419
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in esigngenie Foxit eSign for WordPress esign-genie-for-wp allows Retrieve Embedded Sensitive Data.This issue…
Medium
CVE-2025-49329
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Upload a Web Shell to a Web Server.This issue affects Store Locator Wor…
High
CVE-2025-49328
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows SQL Injection.This issue affects S…
Medium
CVE-2025-30938
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in broadly Broadly for WordPress broadly allows Stored XSS.This issue affects Broadly for WordPress:…
Medium
CVE-2025-29005
Cross-Site Request Forgery (CSRF) vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Cross Site Request Forgery.This issue affects HR Management Lite:…
High
CVE-2025-28948
Cross-Site Request Forgery (CSRF) vulnerability in codedraft Mediabay - WordPress Media Library Folders allows Reflected XSS. This issue affects Mediabay - WordPress Media Library Folders: from n/a t…
Medium
CVE-2025-5760
The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior t…
Medium
CVE-2025-5239
The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitizatio…
Medium
CVE-2025-5703
The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and outp…
Medium
CVE-2025-5699
The Developer Formatter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2015.0.2.1 due to insufficient input sanitization an…
Medium
CVE-2025-5686
The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitizati…
Medium
CVE-2025-5586
The WordPress Ajax Load More and Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.0 due to insufficie…
Medium
CVE-2025-5565
The Hide It plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hideit' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization an…
Medium
CVE-2025-5563
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter…
Medium
CVE-2025-5541
The Runners Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'runnerslog' shortcode in all versions up to, and including, 3.9.2 due to insufficient input sanitiz…
Medium
CVE-2025-5538
The BNS Featured Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bnsfc' shortcode in all versions up to, and including, 2.8.2 due to insufficient input sa…
Medium
CVE-2025-5536
The Freemind Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'freemind' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitiz…
Medium
CVE-2025-5534
The ESV Bible Shortcode for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'esv' shortcode in all versions up to, and including, 1.0.2 due to insufficien…
Medium
CVE-2025-5533
The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kbalert' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitiz…
Critical
CVE-2025-5486
The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. This makes it possi…
Medium
CVE-2025-5019
The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. Thi…
High
CVE-2025-5018
The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all…
Medium
CVE-2025-4966
The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_r…