CVE Daily
← All tags

Tag: WordPress

All CVEs associated with "WordPress". Page 4/4 • 445 CVEs.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2025-05-14
Critical

CVE-2025-3623

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_messa…

CVSS: 9.1 CWE: CWE-502
Read more
2025-04-24
Critical

CVE-2025-3604

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user…

CVSS: 9.8 CWE: CWE-862
Read more
Critical

CVE-2025-3603

The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user…

CVSS: 9.8 CWE: CWE-620
Read more
2025-04-22
Medium

CVE-2025-2839

The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input s…

CVSS: 6.4 CWE: CWE-79
Read more
2025-04-15
Medium

CVE-2025-2225

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rael_title_tag' parameter in all…

CVSS: 6.4 CWE: CWE-79
Read more
2025-04-09
Medium

CVE-2025-3100

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in al…

CVSS: 6.4 CWE: CWE-79
Read more
2025-04-08
Medium

CVE-2025-2876

The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' fun…

CVSS: 5.3 CWE: CWE-862
Read more
Medium

CVE-2025-3437

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_act…

CVSS: 4.3 CWE: CWE-862
Read more
Medium

CVE-2025-2808

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63…

CVSS: 5.4 CWE: CWE-79
Read more
High

CVE-2025-2807

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin(…

CVSS: 8.8 CWE: CWE-862
Read more
2025-04-04
Critical

CVE-2025-2798

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This…

CVSS: 9.8 CWE: CWE-269
Read more
Medium

CVE-2025-2797

The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_ha…

CVSS: 5.4 CWE: CWE-352
Read more
High

CVE-2025-2780

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to…

CVSS: 8.8 CWE: CWE-434
Read more
High

CVE-2025-2075

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due…

CVSS: 8.8 CWE: CWE-862
Read more
2025-04-02
Critical

CVE-2025-2005

The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and incl…

CVSS: 9.8 CWE: CWE-434
Read more
Medium

CVE-2024-12410

The Front End Users plugin for WordPress is vulnerable to SQL Injection via the 'UserSearchField' parameter in all versions up to, and including, 3.2.32 due to insufficient escaping on the user suppl…

CVSS: 4.9 CWE: CWE-89
Read more
2025-03-29
Medium

CVE-2024-11180

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer Widget ekit_countdown_timer_title parameter in all versions up to, and inclu…

CVSS: 6.4 CWE: CWE-79
Read more
2025-03-28
High

CVE-2025-2485

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted inp…

CVSS: 7.5 CWE: CWE-502
Read more
High

CVE-2025-2328

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' fun…

CVSS: 8.8 CWE: CWE-22
Read more
2025-03-27
Medium

CVE-2025-2685

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insu…

CVSS: 6.4 CWE: CWE-79
Read more
2025-03-26
Medium

CVE-2025-2228

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1…

CVSS: 5.7 CWE: CWE-200
Read more
High

CVE-2025-2110

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJA…

CVSS: 8.8 CWE: CWE-862
Read more
Medium

CVE-2025-1440

The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insuffi…

CVSS: 5.3 CWE: CWE-20
Read more
Medium

CVE-2025-1439

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient inp…

CVSS: 6.4 CWE: CWE-79
Read more
Medium

CVE-2025-1437

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient inp…

CVSS: 6.4 CWE: CWE-79
Read more
2025-03-25
Medium

CVE-2025-2109

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. Thi…

CVSS: 5.8 CWE: CWE-918
Read more
Medium

CVE-2025-2252

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the…

CVSS: 5.3 CWE: CWE-200
Read more
Medium

CVE-2025-1320

The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php pag…

CVSS: 4.3 CWE: CWE-352
Read more
2025-03-22
Medium

CVE-2025-2331

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.22.1 via a misconfigured capability…

CVSS: 5.3 CWE: CWE-200
Read more
2025-03-20
High

CVE-2025-2539

The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. This makes it…

CVSS: 7.5 CWE: CWE-327
Read more
Medium

CVE-2025-1766

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete…

CVSS: 5.3 CWE: CWE-862
Read more
2025-03-19
Critical

CVE-2025-2512

The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and inclu…

CVSS: 9.8 CWE: CWE-434
Read more
2025-03-07
Medium

CVE-2024-13526

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability checks on the export_submittion_attendees function…

CVSS: 4.3 CWE: CWE-862
Read more
2025-03-01
Medium

CVE-2025-1459

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded Video(PB) widget in all versions up to, and including, 2.31.4 due to insufficient inp…

CVSS: 6.4 CWE: CWE-79
Read more
Medium

CVE-2024-13518

The Simple:Press Forum plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.10.11. This is due to missing or incorrect nonce validation on the 'sp_…

CVSS: 4.3 CWE: CWE-352
Read more
2025-02-28
Medium

CVE-2025-1506

The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.0. This is due to missing or incorrect nonce…

CVSS: 4.3 CWE: CWE-352
Read more
2025-02-20
Medium

CVE-2024-13802

The Bandsintown Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bandsintown_events' shortcode in all versions up to, and including, 1.3.1 due to insufficien…

CVSS: 6.4 CWE: CWE-79
Read more
2025-02-18
Medium

CVE-2024-13316

The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability…

CVSS: 5.3 CWE: CWE-862
Read more
2025-02-04
Medium

CVE-2024-13403

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all ve…

CVSS: 6.4 CWE: CWE-79
Read more
Medium

CVE-2024-13325

The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high…

CVSS: 6.1 CWE: CWE-79
Read more
2025-01-31
Medium

CVE-2024-12267

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_dele…

CVSS: 5.3 CWE: CWE-73
Read more
2025-01-30
Medium

CVE-2024-12409

The Simple:Press Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 6.10.11 due to insufficient input sanitization…

CVSS: 6.1 CWE: CWE-79
Read more
2025-01-25
High

CVE-2025-0682

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible…

CVSS: 8.8 CWE: CWE-98
Read more
2025-01-23
Medium

CVE-2024-12504

The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_hls' shortcode in all versi…

CVSS: 6.4 CWE: CWE-79
Read more
2025-01-16
Medium

CVE-2024-10970

The The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.43. This is due to the software allowi…

CVSS: 5.4 CWE: CWE-94
Read more
2025-01-14
Medium

CVE-2024-12240

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the row label parameter in all versions up to, and including, 2.31.0 due to insufficient input san…

CVSS: 6.4 CWE: CWE-79
Read more
Medium

CVE-2024-13323

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'booking' shortcode in all versions up to, and including, 10.9.2 due to insufficient input s…

CVSS: 6.4 CWE: CWE-79
Read more
2025-01-08
Medium

CVE-2024-12855

The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions up to, and including,…

CVSS: 4.3 CWE: CWE-862
Read more
Critical

CVE-2024-11350

The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's ide…

CVSS: 9.8 CWE: CWE-640
Read more
2025-01-07
Medium

CVE-2024-12332

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.14 due to insufficient escaping on t…

CVSS: 6.5 CWE: CWE-89
Read more
2025-01-04
Medium

CVE-2024-12279

The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a funct…

CVSS: 6.1 CWE: CWE-352
Read more
Medium

CVE-2024-12047

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including,…

CVSS: 6.1 CWE: CWE-79
Read more
2024-12-21
Critical

CVE-2024-11349

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.6. This is due to the plugin not properly verifying a user's identity prior to authen…

CVSS: 9.8 CWE: CWE-288
Read more
2024-12-12
Medium

CVE-2024-11724

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a mi…

CVSS: 4.3 CWE: CWE-862
Read more
2024-12-10
High

CVE-2024-11205

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, an…

CVSS: 8.5 CWE: CWE-862
Read more
2024-12-07
Medium

CVE-2024-12167

The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_wpnonce' parameter in all versions up to, and including, 2.2.0 due to insufficien…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2024-12166

The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.0 due to insufficient in…

CVSS: 6.1 CWE: CWE-79
Read more
2024-11-28
Medium

CVE-2024-7747

The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when tra…

CVSS: 6.5 CWE: CWE-681
Read more
Medium

CVE-2024-10780

The Restaurant & Cafe Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.9 via the 'narestaurant_elementor_template' shortcode du…

CVSS: 4.3 CWE: CWE-639
Read more
Medium

CVE-2024-11685

The `Kudos Donations – Easy donations and payments with Mollie` plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of `add_query_arg` without appropriate escaping on…

CVSS: 6.1 CWE: CWE-79
Read more
Medium

CVE-2024-11684

The Kudos Donations – Easy donations and payments with Mollie plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.2.9 du…

CVSS: 6.1 CWE: CWE-79
Read more
2024-11-27
Medium

CVE-2024-11219

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.0.6 via the get_image functio…

CVSS: 5.3 CWE: CWE-22
Read more
2024-11-23
Medium

CVE-2024-10116

The Twitter Follow Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'username' parameter in all versions up to, and including, 0.2 due to insufficient input sanitizati…

CVSS: 6.4 CWE: CWE-79
Read more
2024-11-05
High

CVE-2024-10114

The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being retu…

CVSS: 8.1 CWE: CWE-287
Read more
2024-10-12
Medium

CVE-2024-9595

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insuffic…

CVSS: 6.4 CWE: CWE-79
Read more
2024-08-01
Medium

CVE-2024-2872

The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Sit…

CVSS: 4.8 CWE: CWE-79
Read more
2024-07-27
Medium

CVE-2024-5969

The AIomatic - Automatic AI Content Writer for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 2.0.5. This is due to insufficient limitations on the…

CVSS: 5.8 CWE: CWE-20
Read more
2024-05-25
Medium

CVE-2024-4045

The Popup Builder by OptinMonster – WordPress Popups for Optins, Email Newsletters and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘campaign_id’ paramete…

CVSS: 6.4 CWE: CWE-79
Read more
2024-05-23
Medium

CVE-2024-3648

The ShareThis Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sharethis-inline-button' shortcode in all versions up to, and including, 2.3.0 due to i…

CVSS: 6.4 CWE: CWE-79
Read more
2024-05-21
Medium

CVE-2024-4361

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to in…

CVSS: 6.4 CWE: CWE-79
Read more
2024-05-14
Medium

CVE-2024-4445

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the several functions in versions up to, an…

CVSS: 6.5 CWE: CWE-601
Read more
Medium

CVE-2023-6812

The WP Compress – Image Optimizer [All-In-One plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 6.20.01. This is due to insufficient validation on the redirect…

CVSS: 4.3 CWE: CWE-601
Read more
2024-05-02
Medium

CVE-2024-3717

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.7.7 via the '/wp-content/uploads…

CVSS: 5.3 CWE: N/A
Read more
2024-04-09
High

CVE-2024-1934

The WP Compress – Image Optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wps_local_compress::__construct' function in all ve…

CVSS: 7.5 CWE: CWE-862
Read more
Medium

CVE-2024-0873

The Watu Quiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'watu-basic-chart' shortcode in all versions up to, and including, 3.4.1 due to insufficient input san…

CVSS: 6.4 CWE: CWE-79
Read more
2024-04-02
Medium

CVE-2024-1504

The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5.1. This is due to missing or incorrect nonce valid…

CVSS: 4.3 CWE: CWE-352
Read more
2024-03-13
High

CVE-2024-1935

The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ pa…

CVSS: 7.2 CWE: CWE-79
Read more
2024-03-02
Medium

CVE-2024-1592

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.6. This is due to missing or incorrect nonce valida…

CVSS: 4.3 CWE: CWE-352
Read more
2024-02-29
Medium

CVE-2024-1978

The Friends plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.5 via the discover_available_feeds function. This makes it possible for authent…

CVSS: 5.5 CWE: CWE-918
Read more
Medium

CVE-2024-1242

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button onclick attribute in all versions up to, and including, 4.10.18 due to insufficient i…

CVSS: 6.4 CWE: CWE-79
Read more
2024-02-03
Medium

CVE-2024-0909

The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2. This is due to insufficient restrictions through the REST AP…

CVSS: 5.3 CWE: N/A
Read more
2024-02-02
Medium

CVE-2024-0844

The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Local File Inclusion in version 2.1.6 via the ycfChangeElementData() function. This makes it possible f…

CVSS: 4.7 CWE: CWE-22
Read more
2021-04-05
Medium

CVE-2021-24211

The WordPress Related Posts plugin through 3.6.4 contains an authenticated (admin+) stored XSS vulnerability in the title field on the settings page. By exploiting that an attacker will be able to ex…

CVSS: 5.4 CWE: CWE-79
Read more
2020-04-13
High

CVE-2020-11738

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

CVSS: 7.5 CWE: CWE-22
Read more
2019-08-20
Medium

CVE-2017-18524

The football-pool plugin before 2.6.5 for WordPress has multiple XSS issues.

CVSS: 6.1 CWE: CWE-79
Read more