Filtered by vendor Wordpress
Subscriptions
Filtered by product Wordpress
Subscriptions
Total
10374 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1779 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 2026-02-27 | 8.1 High |
| The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set. | ||||
| CVE-2026-2489 | 2 Readymadeweb, Wordpress | 2 Tp2wp Importer, Wordpress | 2026-02-27 | 4.4 Medium |
| The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping when domains are saved via AJAX and rendered with echo implode() without esc_textarea(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the attachment importer settings page. | ||||
| CVE-2026-28136 | 2 Veronalabs, Wordpress | 2 Wp Sms, Wordpress | 2026-02-27 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through <= 6.9.12. | ||||
| CVE-2026-1565 | 2 Wedevs, Wordpress | 2 User Frontend: Ai Powered Frontend Posting, User Directory, Profile, Membership & User Registration, Wordpress | 2026-02-27 | 8.8 High |
| The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2026-24953 | 2 Mitchell Bennis, Wordpress | 2 Simple File List, Wordpress | 2026-02-26 | 6.5 Medium |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15. | ||||
| CVE-2026-24946 | 2 Tychesoftwares, Wordpress | 2 Print Invoice & Delivery Notes For Woocommerce, Wordpress | 2026-02-26 | 6.5 Medium |
| Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.8.0. | ||||
| CVE-2026-23541 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-02-26 | N/A |
| Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4. | ||||
| CVE-2025-68834 | 2 Saiful Islam, Wordpress | 2 Sync Master Sheet – Product Sync With Google Sheet For Woocommerce, Wordpress | 2026-02-26 | N/A |
| Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3. | ||||
| CVE-2026-25387 | 2 Elementor, Wordpress | 2 Image Optimizer By Elementor, Wordpress | 2026-02-26 | 4.3 Medium |
| Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1. | ||||
| CVE-2026-25363 | 2 Fooplugins, Wordpress | 2 Foogallery, Wordpress | 2026-02-26 | 4.3 Medium |
| Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11. | ||||
| CVE-2026-25329 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-02-26 | 4.3 Medium |
| Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.4. | ||||
| CVE-2026-23548 | 2 Designinvento, Wordpress | 2 Directorypress, Wordpress | 2026-02-26 | 5.3 Medium |
| Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.25. | ||||
| CVE-2026-23545 | 2 Arubadev, Wordpress | 2 Aruba Hispeed Cache, Wordpress | 2026-02-26 | 6.5 Medium |
| Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through <= 3.0.4. | ||||
| CVE-2025-69376 | 2 Vanquish, Wordpress | 2 User Extra Fields, Wordpress | 2026-02-26 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. | ||||
| CVE-2025-53217 | 2 Staviravn, Wordpress | 2 Aio Wp Builder, Wordpress | 2026-02-26 | 7.6 High |
| Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2. | ||||
| CVE-2026-25370 | 2 Aresit, Wordpress | 2 Wp Compress, Wordpress | 2026-02-26 | 5.3 Medium |
| Missing Authorization vulnerability in AresIT WP Compress wp-compress-image-optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Compress: from n/a through <= 6.60.28. | ||||
| CVE-2026-23543 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Essential Addons For Elementor | 2026-02-26 | 5.3 Medium |
| Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.5. | ||||
| CVE-2024-43228 | 2 Secupress, Wordpress | 2 Secupress, Wordpress | 2026-02-26 | 5.3 Medium |
| Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3. | ||||
| CVE-2025-27349 | 1 Wordpress | 1 Wordpress | 2026-02-26 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nurelm Get Posts allows Stored XSS. This issue affects Get Posts: from n/a through 0.6. | ||||
| CVE-2026-1614 | 2 Eaglethemes, Wordpress | 2 Rise Blocks – A Complete Gutenberg Page Builder, Wordpress | 2026-02-26 | 6.4 Medium |
| The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||