Export limit exceeded: 344866 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11853 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13313 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 9.8 Critical |
| The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability. | ||||
| CVE-2025-14742 | 2 Brechtvds, Wordpress | 2 Wp Recipe Maker, Wordpress | 2026-04-15 | 4.3 Medium |
| The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access. | ||||
| CVE-2026-24379 | 2 Wordpress, Wpjobportal | 2 Wordpress, Wp Job Portal | 2026-04-15 | 9.1 Critical |
| Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3. | ||||
| CVE-2025-14846 | 2 Socialchampio, Wordpress | 2 Socialchamp With Wordpress, Wordpress | 2026-04-15 | 4.3 Medium |
| The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-15403 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-04-15 | 9.8 Critical |
| The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further privilege escalation requires at least a subscriber user. | ||||
| CVE-2025-8593 | 2 Westerndeal, Wordpress | 2 Gsheetconnector For Gravity Forms, Wordpress | 2026-04-15 | 8.8 High |
| The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions. | ||||
| CVE-2025-9123 | 2 Codebxr, Wordpress | 2 Cbx Map For Google Map \& Openstreetmap, Wordpress | 2026-04-15 | 6.4 Medium |
| The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1841 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite – Your Smart Pixel (tag) & Api Manager, Wordpress | 2026-04-15 | 7.2 High |
| The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2026-27072 is likely a duplicate of this issue. | ||||
| CVE-2026-24381 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery.This issue affects PhotoMe: from n/a through < 5.7.2. | ||||
| CVE-2026-24384 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery.This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. | ||||
| CVE-2026-24386 | 3 Elementinvader, Elementor, Wordpress | 3 Template Kits For Elementor, Elementor, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4. | ||||
| CVE-2026-24387 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. | ||||
| CVE-2026-24390 | 3 Elementor, Qantumthemes, Wordpress | 3 Elementor, Kentha Elementor Widgets, Wordpress | 2026-04-15 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1. | ||||
| CVE-2026-24392 | 2 Nabil Lemsieh, Wordpress | 2 Hurrytimer, Wordpress | 2026-04-15 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2. | ||||
| CVE-2025-23538 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sophia M Williams WP Contest wp-contest allows Reflected XSS.This issue affects WP Contest: from n/a through <= 1.0.0. | ||||
| CVE-2025-23552 | 1 Wordpress | 1 Wordpress | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yashar Texteller texteller allows Reflected XSS.This issue affects Texteller: from n/a through <= 1.3.0. | ||||
| CVE-2026-24522 | 2 Mythemeshop, Wordpress | 2 Wp Subscribe, Wordpress | 2026-04-15 | 4.3 Medium |
| Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Subscribe: from n/a through <= 1.2.16. | ||||
| CVE-2026-24524 | 1 Wordpress | 1 Wordpress | 2026-04-15 | 8.1 High |
| Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.2.6. | ||||
| CVE-2026-24528 | 2 Pixelgrade, Wordpress | 2 Nova Blocks, Wordpress | 2026-04-15 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS.This issue affects Nova Blocks: from n/a through <= 2.1.9. | ||||
| CVE-2026-24529 | 2 Alejandro, Wordpress | 2 Quick Restaurant Reservations, Wordpress | 2026-04-15 | 5.3 Medium |
| Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. | ||||