Medium
CVE-2025-0353
The Divi Torque Lite – Best Divi Addon, Extensions, Modules & Social Modules plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including…
Tag: WordPress
All CVEs associated with "WordPress". Page 49/152 • 18158 CVEs.
Subscribe CVEs: RSS for “WordPress” · RSS (High+Critical only)
About “WordPress”
A curated feed of “WordPress”-related CVEs appears below. We currently track 18158 CVEs for this tag (all time). In the last 365 days, 4096 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).
In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-01-29
Medium
CVE-2024-13561
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's brid_override_yt shortcode in all versions up to, and including, 3.8.3 due to insuffic…
High
CVE-2024-13696
The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wishlist_name’ parameter in all versions up to,…
High
CVE-2024-12749
The Competition Form WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…
Medium
CVE-2025-0804
The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up t…
2025-01-28
Medium
CVE-2024-13527
The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.3 du…
Medium
CVE-2025-0321
The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitizat…
Medium
CVE-2024-13521
The MailUp Auto Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the…
High
CVE-2024-13509
The WS Form LITE and PRO plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization…
Critical
CVE-2024-13448
The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and includin…
Medium
CVE-2024-12807
The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scriptin…
Medium
CVE-2024-12723
The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agai…
High
CVE-2024-11135
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escap…
2025-01-27
Medium
CVE-2024-13117
The Social Share Buttons for WordPress plugin through 2.7 allows an unauthenticated user to upload arbitrary images and change the path where they are uploaded
Low
CVE-2024-13116
The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks…
Medium
CVE-2024-13095
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
High
CVE-2024-13094
The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used aga…
High
CVE-2024-13057
The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add…
High
CVE-2024-13056
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used a…
High
CVE-2024-13055
The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used a…
High
CVE-2024-13052
The Dental Optimizer Patient Generator App WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting whi…
Medium
CVE-2024-12774
The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack
High
CVE-2024-12773
The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
Medium
CVE-2024-12436
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
High
CVE-2024-12321
The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used agains…
Medium
CVE-2024-12280
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack
2025-01-26
Medium
CVE-2024-13505
The Survey Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ays_sections[5][questions][8][title]’ parameter in all versions up to, and including, 5.1.3.3 due to insuff…
Medium
CVE-2024-12334
The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insu…
High
CVE-2024-11936
The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_option…
High
CVE-2024-11641
The VikBooking Hotel Booking Engine & PMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.2. This is due to missing or incorrect nonce valid…
Medium
CVE-2024-11090
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.13 via the WordPress core search feature. This…
Medium
CVE-2024-10705
The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.5 via the 'mpg_download_file_by_link' function. Th…
Medium
CVE-2024-10636
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 8.8.0 (Business)…
High
CVE-2024-10633
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.…
High
CVE-2024-10628
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 8.8.0 (Business), up to, and including…
High
CVE-2024-10574
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ays_save_google_credentials' function…
2025-01-25
High
CVE-2024-13562
The Import WP – Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.5 via the uploads dire…
Medium
CVE-2025-0350
The Divi Carousel Maker – Image, Logo, Testimonial, Post Carousel & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Carousel and Logo Carousel in all ver…
Low
CVE-2024-13450
The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all ve…
Medium
CVE-2024-13449
The Boom Fest plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'bf_admin_action' function in all versions up to, and including, 2.2.1.…
Medium
CVE-2024-13599
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output…
Medium
CVE-2024-13586
The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input s…
Medium
CVE-2024-13551
The ABC Notation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abcjs' shortcode in all versions up to, and including, 6.1.3 due to insufficient input sanitizatio…
Medium
CVE-2024-13550
The ABC Notation plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.1.3 via the 'file' attribute of the 'abcjs' shortcode. This makes it possible for authent…
Medium
CVE-2024-13548
The Power Ups for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'magic-button' shortcode in all versions up to, and including, 1.2.2 due to insufficient…
Medium
CVE-2024-13467
The WP Contact Form7 Email Spam Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient i…
Medium
CVE-2024-13458
The WordPress SEO Friendly Accordion FAQ with AI assisted content generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'noticefaq' shortcode in all versions u…
Medium
CVE-2024-13441
The Bilingual Linker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the bl_otherlang_link_1 parameter in all versions up to, and including, 2.4 due to insufficient input saniti…
Medium
CVE-2024-13370
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the s…
Medium
CVE-2024-13368
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the y…
Medium
CVE-2024-12885
The Connections Business Directory plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation when deleting a connections image directory in all versi…
Medium
CVE-2024-12826
The GoHero Store Customizer for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wooh_action_settings_save_frontend() funct…
Medium
CVE-2024-12817
The Etsy Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_link' shortcode in all versions up to, and including, 1.4.2 due to insufficient input san…
Medium
CVE-2024-12816
The NOTICE BOARD BY TOWKIR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'notice-board' shortcode in all versions up to, and including, 3.1 due to insufficient in…
Medium
CVE-2024-12529
The brodos.net Onlineshop Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'BrodosCategory' shortcode in all versions up to, and including, 2.0.2 due to insuf…
Medium
CVE-2024-12512
The Ask Me Anything (Anonymously) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'askmeanythingpeople' shortcode in all versions up to, and including, 1.6 due to i…
Medium
CVE-2024-12113
The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on…
Medium
CVE-2024-12076
The Target Video Easy Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the…
Medium
CVE-2024-11825
The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘zone’ parameter in all versions up to, and including, 1.51.0 due to insufficient input sanitization and outp…
High
CVE-2024-12600
The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'fr…
Medium
CVE-2024-10552
The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘api_key’ and 'api_secret' parameters in all versions up to, and including, 3.14.26 due to insufficie…
High
CVE-2025-0682
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible…
Medium
CVE-2024-13721
The Plethora Plugins Tabs + Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the anchor parameter in all versions up to, and including, 1.1.8 due to insufficient input…
Medium
CVE-2024-13709
The Linear plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on the 'linear-debug'. Th…
Critical
CVE-2025-0357
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and…
2025-01-24
Medium
CVE-2025-24666
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle AI Chatbot for WordPress – Hyve Lite hyve-lite allows Stored XSS.This issue affects AI…
Medium
CVE-2025-24588
Missing Authorization vulnerability in patreon Patreon WordPress patreon-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Patreon WordPress: from n/a…
Medium
CVE-2024-13698
The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'download_image_via_ai' and 'generate_image…
Medium
CVE-2024-11913
The Activity Plus Reloaded for BuddyPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.1.1 via the 'ajax_preview_link' function. Thi…
Medium
CVE-2024-10324
The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas…
Medium
CVE-2024-13594
The Simple Downloads List plugin for WordPress is vulnerable to SQL Injection via the 'category' attribute of the 'neofix_sdl' shortcode in all versions up to, and including, 1.4.2 due to insufficien…
Medium
CVE-2024-13572
The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including…
Medium
CVE-2024-13542
The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgsv' shortcode in all versions up to…
High
CVE-2024-13409
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10…
High
CVE-2024-13408
The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.10…
Medium
CVE-2024-13354
The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML tags in several widgets in all ve…
Medium
CVE-2024-13335
The Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the tmpcoder_theme_install…
Medium
CVE-2024-13583
The Simple Gallery with Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'c2tw_sgwf' shortcode in all versions up to, and including, 2.0 due to insufficient i…
Medium
CVE-2024-12494
The BMLT Meeting Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bmlt_meeting_map' shortcode in all versions up to, and including, 2.6.1 due to insufficient in…
Critical
CVE-2024-13545
The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attacke…
Medium
CVE-2024-13683
The Automate Hub Free by Sperse.IO plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.0. This is due to missing or incorrect nonce validation o…
Medium
CVE-2024-13680
The Form Builder CP plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'CP_EASY_FORM_WILL_APPEAR_HERE' shortcode in all versions up to, and including, 1.2.41 due to ins…
Medium
CVE-2024-13659
The Listamester plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listamester' shortcode in all versions up to, and including, 2.3.4 due to insufficient input saniti…
2025-01-23
Medium
CVE-2024-13422
The SEO Blogger to WordPress Migration using 301 Redirection plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 0.4.8 d…
Medium
CVE-2024-13389
The Cliptakes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cliptakes_input_email' shortcode in all versions up to, and including, 1.3.4 due to insufficient inpu…
Medium
CVE-2024-13340
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdf_results_by_ajax' shortcode in all versions up to, and including, 1.3…
Medium
CVE-2024-13236
The Tainacan plugin for WordPress is vulnerable to SQL Injection via the 'collection_id' parameter in all versions up to, and including, 0.21.12 due to insufficient escaping on the user supplied para…
Medium
CVE-2024-12504
The Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_hls' shortcode in all versi…
Medium
CVE-2024-12118
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar Link Widget through the html_tag attribute in all versions up to, and including, 6.9.0…
High
CVE-2024-13234
The Product Table by WBW plugin for WordPress is vulnerable to SQL Injection via the 'additionalCondition' parameter in all versions up to, and including, 2.1.2 due to insufficient escaping on the us…
Medium
CVE-2024-12043
The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Post Slider and Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'social_link_…
High
CVE-2024-13593
The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. This makes it possible for authentica…
2025-01-22
Medium
CVE-2024-12477
The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 due to insufficient input sanitization an…
Critical
CVE-2025-23931
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oliver Fuhrmann WordPress Local SEO dh-local-seo allows Blind SQL Injection.This issue affects Wo…
High
CVE-2025-23867
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in markcoker WordPress File Search wpfilesearch allows Reflected XSS.This issue affects WordPress Fi…
High
CVE-2025-23535
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in martin_ziegert REAL WordPress Sidebar drag-and-drop-custom-sidebar allows Stored XSS.This issue a…
High
CVE-2024-13499
The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode() fu…
High
CVE-2024-13496
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versi…
High
CVE-2024-13495
The The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the gamipress_ajax_get_logs…
Medium
CVE-2024-13447
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and in…
High
CVE-2025-0429
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_conten…
High
CVE-2025-0428
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form['post_conten…
Medium
CVE-2024-13361
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including…
Medium
CVE-2024-13360
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). This makes it p…
Medium
CVE-2024-13319
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including,…
Medium
CVE-2024-13406
The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient in…
Critical
CVE-2024-12857
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to loggin…
Medium
CVE-2024-12117
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter of the Button block in all versions up to, and including, 3.1…
Medium
CVE-2024-12879
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all versio…
Medium
CVE-2024-13590
The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input sani…
Medium
CVE-2024-13584
The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up t…
Medium
CVE-2024-13426
The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of suffic…
Critical
CVE-2024-13091
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and in…
2025-01-21
High
CVE-2025-22735
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Burge WordPress Tag Cloud Plugin – Tag Groups tag-groups allows Reflected XSS.This issue af…
High
CVE-2024-49333
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affec…
High
CVE-2024-49303
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows SQL Injection. This issue affec…
High
CVE-2024-49300
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Hero Mega Menu - Responsive WordPress Menu Plugin allows Reflected XSS. This issue affec…
Medium
CVE-2025-0450
The Betheme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom JS functionality in all versions up to, and including, 27.6.1 due to insufficient input sanitizat…
Medium
CVE-2024-13444
The wp-greet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2. This is due to missing or incorrect nonce validation on a function. This makes…
Medium
CVE-2024-13230
The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Limited SQL Injection via the ‘SuperSocializerKey’ parameter in all versions up to,…