Search Results (13703 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-20080 2 Brandfolder, Wordpress 2 Brandfolder, Wordpress 2026-06-23 6.2 Medium
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.
CVE-2016-20081 2 Husain, Wordpress 2 Hb Audio Gallery Lite, Wordpress 2026-06-23 7.5 High
WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to access sensitive files like wp-config.php outside the intended gallery directory.
CVE-2016-20082 2 Abtest, Wordpress 2 Abtest, Wordpress 2026-06-23 6.2 Medium
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
CVE-2016-20083 2 Henrikmelin, Wordpress 2 More Fields, Wordpress 2026-06-23 5.3 Medium
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
CVE-2016-20084 2 Dwbooster, Wordpress 2 Booking Calendar Contact, Wordpress 2026-06-23 7.2 High
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.
CVE-2018-25436 2 Shipster, Wordpress 2 Baggage Freight Shipping Australia, Wordpress 2026-06-23 9.8 Critical
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
CVE-2018-25437 2 Cherryframework, Wordpress 2 Cherry Framework Themes, Wordpress 2026-06-23 7.5 High
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
CVE-2026-49062 2 Wordpress, Wp Engine 2 Wordpress, Faust.js 2026-06-23 8.8 High
Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7.
CVE-2026-49064 2 Stiofan, Wordpress 2 Getpaid, Wordpress 2026-06-23 7.5 High
Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data. This issue affects GetPaid: from n/a through 2.8.49.
CVE-2025-15658 2 Rewish, Wordpress 2 Wp Emmet, Wordpress 2026-06-23 5.9 Medium
Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.
CVE-2025-15659 2 Liseperu, Wordpress 2 Elizaibots, Wordpress 2026-06-23 6.5 Medium
Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.
CVE-2025-60175 2 Vynnus, Wordpress 2 Popad, Wordpress 2026-06-23 4.4 Medium
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
CVE-2025-68049 2 Bunny.net, Wordpress 2 Bunny.net, Wordpress 2026-06-23 6.3 Medium
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
CVE-2025-68840 2 Markbeljaars, Wordpress 2 Irobots.txt Seo, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
CVE-2025-68851 2 Arrayhq, Wordpress 2 Okay Toolkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
CVE-2025-68872 2 Eli, Wordpress 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
CVE-2025-69332 2 Mycred, Wordpress 2 Bookify, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
CVE-2026-25425 2 Themegrill, Wordpress 2 User Registration, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
CVE-2026-34898 2 Wordpress, Wp Swings 2 Wordpress, Event Tickets Manager For Woocommerce 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
CVE-2026-34901 2 Paul, Wordpress 2 Icontrolwp, Wordpress 2026-06-23 9.8 Critical
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.