Search Results (13790 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-69104 2 Jkdevstudio, Wordpress 2 Qreatix, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions.
CVE-2025-69107 2 Themerex, Wordpress 2 Rosaleen, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions.
CVE-2025-69108 2 Themerex, Wordpress 2 Hot Coffee, Wordpress 2026-06-23 9.8 Critical
Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions.
CVE-2025-69109 2 Themerex, Wordpress 2 Raider Spirit, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions.
CVE-2025-69119 2 Themerex, Wordpress 2 Corbesier, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions.
CVE-2025-69121 2 Themerex, Wordpress 2 Deliciosa, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions.
CVE-2025-69122 2 Themerex, Wordpress 2 Seafood Company, Wordpress 2026-06-23 9.8 Critical
Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions.
CVE-2025-69125 2 Themerex, Wordpress 2 Food Drop, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
CVE-2025-69131 2 Extendons, Wordpress 2 Wordpress & Woocommerce Scraper Plugin, Import Data From Any Site, Wordpress 2026-06-23 7.5 High
Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions.
CVE-2025-69136 2 Themelogi, Wordpress 2 Wanium, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions.
CVE-2025-69137 2 Jthemes, Wordpress 2 Genemy, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Genemy <= 1.6.6 versions.
CVE-2025-69141 2 Themerex, Wordpress 2 Kelly Young, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.
CVE-2025-69149 2 Themerex, Wordpress 2 Top Dog, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions.
CVE-2025-69177 2 Themelogi, Wordpress 2 Roneous, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.
CVE-2025-69178 2 Cactusthemes, Wordpress 2 Truemag, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.
CVE-2026-27429 2 Boldthemes, Wordpress 2 Nifty, Wordpress 2026-06-23 9.8 Critical
Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions.
CVE-2026-34893 2 Webgeniuslab, Wordpress 2 Thegov Core, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.
CVE-2026-34894 2 Webgeniuslab, Wordpress 2 Integrio Core, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions.
CVE-2026-11989 2 Bitpressadmin, Wordpress 2 Bit Integrations – Form Integration, Webhook, Spreadsheets, Crm, Lms & Email Automation, Wordpress 2026-06-23 6.5 Medium
The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.
CVE-2026-7547 2 Teamwsa, Wordpress 2 Woosa – Marktplaats For Woocommerce, Wordpress 2026-06-23 4.9 Medium
The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the 'log_file' GET parameter and concatenates it directly with the plugin's log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config.