Export limit exceeded: 10012 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10133 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4397 | 1 Thimpress | 1 Learnpress | 2026-04-08 | 8.8 High |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_post_materials' function in versions up to, and including, 4.2.6.5. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-4033 | 2 Plugins360, Wordpress | 2 All-in-one Video Gallery, Wordpress | 2026-04-08 | 8.8 High |
| The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the aiovg_create_attachment_from_external_image_url function in all versions up to, and including, 3.6.4. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-3242 | 1 Brizy | 1 Brizy | 2026-04-08 | 8.8 High |
| The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension validation in the validateImageContent function called via storeImages in all versions up to, and including, 2.4.43. This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Version 2.4.44 prevents the upload of files ending in .sh and .php. Version 2.4.45 fully patches the issue. | ||||
| CVE-2024-2381 | 1 Ali2woo | 1 Aliexpress Dropshipping With Alinext | 2026-04-08 | 8.8 High |
| The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-2024 | 2026-04-08 | 8.8 High | ||
| The Folders Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_folders_file_upload' function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with author access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-1986 | 2 Booster, Pluggabl | 2 Booster For Woocommerce, Booster Elite For Woocommerce | 2026-04-08 | 8.8 High |
| The Booster Elite for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wc_add_new_product() function in all versions up to, and including, 7.1.7. This makes it possible for customer-level attackers, and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable when the user product upload functionality is enabled. | ||||
| CVE-2024-1468 | 2 Avada, Theme-fusion | 2 Website Builder, Avada | 2026-04-08 | 8.8 High |
| The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-1311 | 1 Brizy | 2 Brizy, Brizy-page Builder | 2026-04-08 | 8.8 High |
| The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-1205 | 2 Israelb1, Wemanage | 2 Management App For Woocommerce, Wemanage | 2026-04-08 | 8.8 High |
| The Management App for WooCommerce – Order notifications, Order management, Lead management, Uptime Monitoring plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the nouvello_upload_csv_file function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2024-11635 | 1 Iptanus | 1 Wordpress File Upload | 2026-04-08 | 9.8 Critical |
| The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.12 via the 'wfu_ABSPATH' cookie parameter. This makes it possible for unauthenticated attackers to execute code on the server. | ||||
| CVE-2024-10629 | 1 Devfarm | 1 Wp Gpx Maps | 2026-04-08 | 8.8 High |
| The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6925 | 1 Unitecms | 1 Unlimited Addons For Wpbakery Page Builder | 2026-04-08 | 7.2 High |
| The Unlimited Addons for WPBakery Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'importZipFile' function in versions up to, and including, 1.0.42. This makes it possible for authenticated attackers with a role that the administrator previously granted access to the plugin (the default is editor role, but access can also be granted to contributor role), to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6316 | 1 Mw Wp Form Project | 1 Mw Wp Form | 2026-04-08 | 9.8 Critical |
| The MW WP Form plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the '_single_file_upload' function in versions up to, and including, 5.0.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-6220 | 1 Piotnet | 1 Piotnet Forms | 2026-04-08 | 8.1 High |
| The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.28. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2023-4142 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code execution is still possible for site administrators, use the plugin with caution. | ||||
| CVE-2023-4141 | 1 Smackcoders | 1 Wp Ultimate Csv Importer | 2026-04-08 | 8 High |
| The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution. | ||||
| CVE-2023-3342 | 1 Wpeverest | 1 User Registration | 2026-04-08 | 9.9 Critical |
| The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and fully patched in version 3.0.2.1. | ||||
| CVE-2022-4950 | 2 Coolplugins, Cryptocurrency Payment \& Donation Box Plugins | 10 Cool Timeline, Cryptocurrency Widgets, Cryptocurrency Widgets For Elementor and 7 more | 2026-04-08 | 8.8 High |
| Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber. | ||||
| CVE-2022-4949 | 2 Adsanityplugin, Xen | 2 Adsanity, Xen | 2026-04-08 | 8.8 High |
| The AdSanity plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajax_upload' function in versions up to, and including, 1.8.1. This makes it possible for authenticated attackers with Contributor+ level privileges to upload arbitrary files on the affected sites server which makes remote code execution possible. | ||||
| CVE-2022-3384 | 1 Ultimatemember | 1 Ultimate Member | 2026-04-08 | 7.2 High |
| The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the server. | ||||