CVE Daily
← All tags

Tag: WordPress

All CVEs associated with "WordPress". Page 67/152 • 18159 CVEs.

Subscribe CVEs: RSS for “WordPress”  ·  RSS (High+Critical only)

About “WordPress”

A curated feed of “WordPress”-related CVEs appears below. We currently track 18159 CVEs for this tag (all time). In the last 365 days, 4097 were published. Average CVSS is 6.3 (all time; 6.3 over 365d), and 27% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-862 - Missing Authorization, CWE-352 - Cross-Site Request Forgery (CSRF).

In our taxonomy this topic maps to a MODERATE impact class. CMS and plugins expand attack surface. Patch core, themes, and plugins, remove abandoned extensions, restrict admin access, enable WAF, and keep backups. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2024-08-17
High

CVE-2023-0714

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Arbitrary File Upload due to insufficient file type validation in versions up to, and including, 3.2.4. This allows unauthent…

CVSS: 8.1 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2023-5505

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups…

CVSS: 6.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2023-3409

The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'reset_settings' functi…

CVSS: 5.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2023-3408

The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'save_settings' functio…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2023-4730

The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions up to, and including…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-4604

The Slideshow, Image Slider by 2J plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘post’ parameter in versions up to, and including, 1.3.54 due to insufficient input sani…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-4507

The Admission AppManager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2023-4027

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. Th…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-4025

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-4024

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This…

CVSS: 5.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2023-1604

The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page…

CVSS: 4.7 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2022-4532

The LOGIN AND REGISTRATION ATTEMPTS LIMIT plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 2.1. This is due to insufficient restrictions on where the IP Add…

CVSS: 6.5 CWE: CWE-348 - Use of Less Trusted Source View on NVD
High

CVE-2022-1751

The Skitter Slideshow plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.2 via the /image.php file. This makes it possible for unauthenticated…

CVSS: 7.2 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Critical

CVE-2024-6459

The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include…

CVSS: 9.8 CWE: N/A View on NVD
Critical

CVE-2024-6500

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in al…

CVSS: 10.0 CWE: CWE-862 - Missing Authorization View on NVD
2024-08-16
High

CVE-2024-7145

The JetElements plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.20 via the 'progress_type' parameter. This makes it possible for authenticated att…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-7144

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'slide_id' parameters in all versions up to, and including, 2.6.20 due to insufficient input sanitiz…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7147

The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient inpu…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-7146

The JetTabs for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.3 via the 'switcher_preset' parameter. This makes it possible for authen…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-7136

The JetSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output es…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7501

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect…

CVSS: 4.2 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2024-6460

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on t…

CVSS: 9.8 CWE: N/A View on NVD
High

CVE-2024-7301

The WordPress File Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.24.8 due to insufficient input sanitization an…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7422

The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_…

CVSS: 4.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-7630

The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 (Free) and 2.25.1 (Premium) via the relevanssi_do_query() due…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2023-7049

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cm_fieldshow' shortcode due to missin…

CVSS: 4.3 CWE: CWE-639 - Authorization Bypass Through User-Controlled Key View on NVD
Medium

CVE-2022-3399

The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cookie_notice_options[refuse_code_head]' parameter in versions up to, and inc…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-15
Medium

CVE-2024-7411

The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the /vendor/mobiledetect…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7064

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input sanitization and out…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7063

The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow authenticated attack…

CVSS: 4.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
High

CVE-2024-7628

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.15.2. This is due to the use of loose co…

CVSS: 8.1 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2024-7624

The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users ca…

CVSS: 8.1 CWE: CWE-285 - Improper Authorization View on NVD
Medium

CVE-2024-7420

The Insert PHP Code Snippet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation in the /…

CVSS: 5.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2024-08-14
Medium

CVE-2024-6532

The Sheet to Table Live Sync for Google Sheet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STWT_Sheet_Table shortcode in all versions up to, and including, 1.0.1…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-4389

The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadFile function in all versions up to, and inclu…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2024-7588

The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion block in all versions up to, and including, 2.2.87 due to…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-13
Medium

CVE-2024-7247

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom G…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-6823

The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation involving the mla-inline-edit-upload-scripts AJAX action in all versions u…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
Medium

CVE-2024-6724

The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7092

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘no_more_items_text’ para…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7388

The WP Bannerize Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via banner alt data in all versions up to, and including, 1.9.0 due to insufficient input sanitization and outpu…

CVSS: 4.0 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-7094

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via th…

CVSS: 9.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-08-12
Medium

CVE-2024-43125

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder – WordPress Table Plugin allows Stored XSS.This issue af…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-37930

Insertion of Sensitive Information into Log File vulnerability in ThemeSphere SmartMag smartmag-responsive-retina-wordpress-magazine.This issue affects SmartMag: from n/a through < 10.1.0.

CVSS: 5.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2024-43224

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yuri Baranov YaMaps for WordPress allows Stored XSS.This issue affects YaMaps for WordPres…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6639

The MDx theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdx_list_item' shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7649

The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and o…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7648

The Opal Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the private notes functionality on payments which utilizes Wor…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-7621

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfee…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-7574

The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This mak…

CVSS: 6.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2024-7503

The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.7.5. This is due to the use of loose comparison of the activation code i…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
Medium

CVE-2024-7416

The Reveal Template plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.7. This is due to the plugin allowing direct access to the bootstrap.php file wh…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7414

The PDF Builder for WPForms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.116. This is due to the plugin allowing direct access to the composer-…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7413

The Obfuscate Email plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.8.1. This is due to the plugin allowing direct access to the bootstrap.php file…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7412

The No Update Nag plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.12. This is due to the plugin allowing direct access to the bootstrap.php file w…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7410

The My Custom CSS PHP & ADS plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.3. This is due the plugin not preventing direct access to the /my-custom…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-7382

The Linkify Text plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.9.1. This is due to the plugin utilizing bootstrap and leaving test files with disp…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2024-6692

The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value i…

CVSS: 3.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6691

The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the currency value in all…

CVSS: 4.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6562

The affiliate-toolkit – WordPress Affiliate Plugin plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.5.5. This is due display_errors being set to true…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-6158

The Category Posts Widget WordPress plugin before 4.9.17, term-and-category-based-posts-widget WordPress plugin before 4.9.13 does not validate and escape some of its "Category Posts" widget settings…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6136

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

CVSS: 5.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-6134

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6133

The wp-cart-for-digital-products WordPress plugin before 8.5.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could…

CVSS: 6.5 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-4360

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-4359

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and inclu…

CVSS: 6.5 CWE: CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') View on NVD
2024-08-08
High

CVE-2024-7548

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter in all versions up to, and including, 4.2.6.9.3 due to insufficient esca…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
High

CVE-2024-7150

The Slider by 10Web – Responsive Image Slider plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.2.57 due to insufficient es…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
Medium

CVE-2024-6884

The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.39 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed,…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6824

The Premium Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'check_temp_validity' and 'update_template_t…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-6481

The Search & Filter Pro WordPress plugin before 2.5.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting a…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-5226

The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient v…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6987

The Orchid Store theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'orchid_store_activate_plugin' function in all versions up to, and inc…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-6869

The Falang multilanguage for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and includ…

CVSS: 5.4 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-5668

The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 2.7.28…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6552

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2. This is due to the plugin utilizing Sym…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2024-6254

The Brizy – Page Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing or incorrect nonce validation on form sub…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2024-7492

The MainWP Child Reports plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the networ…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Critical

CVE-2024-7350

The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin n…

CVSS: 9.8 CWE: CWE-288 - Authentication Bypass Using an Alternate Path or Channel View on NVD
High

CVE-2024-7561

The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. Th…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2024-7560

The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflash_post_meta meta value. Th…

CVSS: 7.2 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
High

CVE-2024-7486

The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta.…

CVSS: 8.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2024-08-07
Medium

CVE-2024-7355

The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insu…

CVSS: 4.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7353

The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to in…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-6522

The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible…

CVSS: 8.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2024-6494

The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS)…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-3973

The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used aga…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-06
High

CVE-2024-6720

The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-7317

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7084

The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks.

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-7082

The Easy Table of Contents WordPress plugin before 2.0.68 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6766

The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6651

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be use…

CVSS: 6.1 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-5709

The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter. This makes it possible for authentic…

CVSS: 8.8 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2024-5708

The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 7.7 due to insufficient input sanitizatio…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-7485

The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to in…

CVSS: 7.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-7484

The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. T…

CVSS: 7.2 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-6315

The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65.…

CVSS: 8.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2023-5000

The Horizontal scrolling announcements plugin for WordPress is vulnerable to SQL Injection via the plugin's 'hsas-shortcode' shortcode in versions up to, and including, 2.4 due to insufficient escapi…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2024-08-05
Medium

CVE-2024-41816

Cooked is a recipe plugin for WordPress. The Cooked plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the ‘[cooked-timer]’ shortcode in versions up to, and including, 1.…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6710

The Ditty WordPress plugin before 3.1.45 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6498

The Chatbot for WordPress by Collect.chat ⚡️ WordPress plugin before 2.4.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Sit…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-6270

The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attac…

CVSS: 4.8 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-5081

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored…

CVSS: 6.1 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-3636

The Pinpoint Booking System WordPress plugin before 2.9.9.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scr…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-03
Medium

CVE-2024-6872

The Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare plugin for WordPress is vulnerabl…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-6709

The Sync Post With Other Site plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'sps_add_update_post' function in all versions up to, an…

CVSS: 4.3 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2024-7356

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanit…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Critical

CVE-2024-7257

The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up…

CVSS: 9.8 CWE: CWE-434 - Unrestricted Upload of File with Dangerous Type View on NVD
High

CVE-2024-7031

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versi…

CVSS: 7.5 CWE: CWE-862 - Missing Authorization View on NVD
High

CVE-2024-7291

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it pos…

CVSS: 7.2 CWE: CWE-269 - Improper Privilege Management View on NVD
High

CVE-2024-6477

The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive informatio…

CVSS: 7.5 CWE: N/A View on NVD
Medium

CVE-2024-6390

The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform…

CVSS: 5.9 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-08-02
Medium

CVE-2024-6704

The Comments – wpDiscuz plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 7.6.21. This is due to a lack of filtering of HTML tags in comments. This makes it p…

CVSS: 5.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-4643

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘end_redirect_lin…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-3238

The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to missing or incorrect…

CVSS: 8.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
Medium

CVE-2024-5595

The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users…

CVSS: 5.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Medium

CVE-2024-3827

The Spectra Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block ids in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping…

CVSS: 6.4 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
High

CVE-2024-7389

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible…

CVSS: 7.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2024-6567

The Ebook Store plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.8001. This is due to the plugin utilizing fpdi-protection and not preventing direct…

CVSS: 5.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD