Export limit exceeded: 15475 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (13795 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-12697 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The real.Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12628 1 Wordpress 1 Wordpress 2026-04-15 4.4 Medium
The bodi0`s Easy cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cache-folder' parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2024-12592 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Sellsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'testSellsy' shortcode in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-60212 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.
CVE-2025-60214 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.
CVE-2025-60215 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.
CVE-2025-60216 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.
CVE-2024-12591 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The MagicPost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wb_share_social shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-12579 1 Wordpress 1 Wordpress 2026-04-15 5.3 Medium
The Minify HTML plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 2.1.10. This is due to processing user-supplied input as a regular expression. This makes it possible for unauthenticated attackers to create comments that can cause catastrophic backtracking and break pages.
CVE-2024-12516 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Coupon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Coupon Code' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-60220 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
Incorrect Privilege Assignment vulnerability in pebas CouponXxL couponxxl allows Privilege Escalation.This issue affects CouponXxL: from n/a through <= 3.0.0.
CVE-2025-60240 1 Wordpress 1 Wordpress 2026-04-15 7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.This issue affects AnyComment: from n/a through <= 0.3.6.
CVE-2025-60241 2 Premmerce, Wordpress 2 Premmerce, Wordpress 2026-04-15 7.5 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion.This issue affects Premmerce: from n/a through <= 1.3.19.
CVE-2024-12515 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The Muslim Prayer Time-Salah/Iqamah plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Masjid ID parameter in all versions up to, and including, 1.8.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-60243 3 Holest Engineering, Woocommerce, Wordpress 3 Selling Commander For Woocommerce, Woocommerce, Wordpress 2026-04-15 9.8 Critical
Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= 1.2.46.
CVE-2025-60244 1 Wordpress 1 Wordpress 2026-04-15 7.1 High
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.This issue affects TableOn: from n/a through <= 1.0.5.1.
CVE-2025-62035 1 Wordpress 1 Wordpress 2026-04-15 8.8 High
Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
CVE-2025-6187 1 Wordpress 1 Wordpress 2026-04-15 9.8 Critical
The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user’s email to obtain a valid login cookie and fully impersonate that account.
CVE-2025-62008 3 Acowebs, Woocommerce, Wordpress 3 Product Labels For Woocommerce, Woocommerce, Wordpress 2026-04-15 8.8 High
Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through <= 1.2.4.
CVE-2024-12514 1 Wordpress 1 Wordpress 2026-04-15 6.4 Medium
The 3DVieweronline plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's '3Dvo-model' shortcode in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.